{
    "apiVersion": "v1",
    "items": [
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "chains.tekton.dev/signed": "true",
                    "kueue.konflux-ci.dev/requests-konflux-ci-dev-token": "1",
                    "pipeline.tekton.dev/release": "b150ab2dbe70ef4c9d499e6bf5dcf5738b5a591b",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "chains-e2e-ktby/results/5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c/records/b68188ab-1737-4622-af5f-c6e406c42ef8",
                    "results.tekton.dev/result": "chains-e2e-ktby/results/5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-43684cb1f5099b2bb96c1c19ac4a17f4-e49bb68e65384f16-01\"}"
                },
                "creationTimestamp": "2026-06-29T22:37:23Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "app.kubernetes.io/version": "0.3",
                    "kueue.x-k8s.io/priority-class": "konflux-default",
                    "kueue.x-k8s.io/queue-name": "pipelines-queue",
                    "pipelines.openshift.io/runtime": "generic",
                    "pipelines.openshift.io/strategy": "docker",
                    "pipelines.openshift.io/used-by": "build-cloud",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "docker-build",
                    "tekton.dev/pipelineRun": "buildah-demo-eqavofstwy",
                    "tekton.dev/pipelineRunUID": "5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags"
                },
                "name": "buildah-demo-eqavofstwy-apply-tags",
                "namespace": "chains-e2e-ktby",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "buildah-demo-eqavofstwy",
                        "uid": "5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c"
                    }
                ],
                "resourceVersion": "53328",
                "uid": "b68188ab-1737-4622-af5f-c6e406c42ef8"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a"
                    }
                ],
                "podTemplate": {
                    "nodeSelector": {
                        "konflux-ci.dev/workload": "konflux-tenants"
                    },
                    "tolerations": [
                        {
                            "effect": "NoSchedule",
                            "key": "konflux-ci.dev/workload",
                            "operator": "Equal",
                            "value": "konflux-tenants"
                        }
                    ]
                },
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:a291081de7fb27f832c6fc3c4b078acf7e6162ca4c085db38b118ca87e8b5b66"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "2h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-06-29T22:37:27Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-06-29T22:37:27Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "buildah-demo-eqavofstwy-apply-tags-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "alpha",
                        "enableParamEnum": true,
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "a291081de7fb27f832c6fc3c4b078acf7e6162ca4c085db38b118ca87e8b5b66"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "spanContext": {
                    "traceparent": "00-43684cb1f5099b2bb96c1c19ac4a17f4-e49bb68e65384f16-01"
                },
                "startTime": "2026-06-29T22:37:23Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://0c6f2da0a701a312720f29c2e39cad68605967c93f49a9c3a964522aa3902754",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:37:27Z",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:37:27Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy",
                                "--digest",
                                "sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "chains.tekton.dev/signed": "true",
                    "kueue.konflux-ci.dev/requests-konflux-ci-dev-token": "1",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-3625d6287f",
                    "pipeline.tekton.dev/release": "b150ab2dbe70ef4c9d499e6bf5dcf5738b5a591b",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "chains-e2e-ktby/results/5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c/records/1b46ee15-7601-47f4-813c-cf87f1b387bb",
                    "results.tekton.dev/result": "chains-e2e-ktby/results/5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-43684cb1f5099b2bb96c1c19ac4a17f4-1e544b270db46f52-01\"}"
                },
                "creationTimestamp": "2026-06-29T22:34:44Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "app.kubernetes.io/version": "0.10.3",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "kueue.x-k8s.io/priority-class": "konflux-default",
                    "kueue.x-k8s.io/queue-name": "pipelines-queue",
                    "pipelines.openshift.io/runtime": "generic",
                    "pipelines.openshift.io/strategy": "docker",
                    "pipelines.openshift.io/used-by": "build-cloud",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "docker-build",
                    "tekton.dev/pipelineRun": "buildah-demo-eqavofstwy",
                    "tekton.dev/pipelineRunUID": "5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah"
                },
                "name": "buildah-demo-eqavofstwy-build-container",
                "namespace": "chains-e2e-ktby",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "buildah-demo-eqavofstwy",
                        "uid": "5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c"
                    }
                ],
                "resourceVersion": "52664",
                "uid": "1b46ee15-7601-47f4-813c-cf87f1b387bb"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Containerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": ""
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "1170f583db17b9db20e993f89d6907dab9acc06f"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/conforma/golden-container.git"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "podTemplate": {
                    "nodeSelector": {
                        "konflux-ci.dev/workload": "konflux-tenants"
                    },
                    "tolerations": [
                        {
                            "effect": "NoSchedule",
                            "key": "konflux-ci.dev/workload",
                            "operator": "Equal",
                            "value": "konflux-tenants"
                        }
                    ]
                },
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.10@sha256:e8b6e6265738efa96a10230af1f76b05c1e9bc234f3daa03170838e5e459efb3"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "2h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "app-studio-default-workspace"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-06-29T22:36:37Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-06-29T22:36:37Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "buildah-demo-eqavofstwy-build-container-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "alpha",
                        "enableParamEnum": true,
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "e8b6e6265738efa96a10230af1f76b05c1e9bc234f3daa03170838e5e459efb3"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/test-images@sha256:0804f7a888d0a7fe18a724c47a3d14a555d0909e0b47e80ac88e893ecf0ea50a"
                    }
                ],
                "spanContext": {
                    "traceparent": "00-43684cb1f5099b2bb96c1c19ac4a17f4-1e544b270db46f52-01"
                },
                "startTime": "2026-06-29T22:34:44Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:c96e3e6cc593a2dfbb443f39d0419777b099e425c5da23a8fe4fc4309ac6ac40",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://452dbececf43bb0e814f6f355a51232f9a26c624067137ff8342168500ca6b18",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:35:46Z",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:35:18Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:7881de18a51416bb20548a23897225a14f4301c78663531d8c78b7f8af249747",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://3cd3fbbf9f9071b557aef8d48ccdd91e84daef7ec7fb0a4eda5b84c6495a4e1d",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:35:54Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:35:47Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://a48ab9a54e107273ceb1476dc238fa64b1a81f9ad4091723bc70f3403796cb72",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:35:57Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:35:54Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:135eec87fe80d0751a1ea5e8e47b240147b25ee9a41973cae365540d2e2ee473",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://06d5a3a5095931d5053c822521b2787fac9c30b616fb6b07b51e28883379222f",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:36:12Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:35:57Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://50d92e3f6da0671d933d92bcdb19a74e61bf8c8da8bc124bf67cfbcdb2b11db2",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:36:37Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/test-images@sha256:0804f7a888d0a7fe18a724c47a3d14a555d0909e0b47e80ac88e893ecf0ea50a\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:36:12Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level for the build command.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Allows to use parent images that don't match the build host architecture. This option must be used with caution as it may create incompatible images.",
                            "name": "ALLOW_CROSS_PLATFORM_IMAGES",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "KBC_LOG_LEVEL",
                                "value": "info"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "."
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            },
                            {
                                "name": "ALLOW_CROSS_PLATFORM_IMAGES",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--envs",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "1170f583db17b9db20e993f89d6907dab9acc06f"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/conforma/golden-container.git"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "Containerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli:latest@sha256:eaf4bcc55d4753eb0776b9bf61257edb5661b1a574268ef41e8bccb348112dad",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  echo \"[$(date --utc -Ins)] Update CA trust\"\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Delete policy settings for Red Hat registries to disable signature verification.\n# TODO: don't do this?\ncontainer_policy=$(\n  jq '.transports |= (\n        del(.docker.[\"registry.access.redhat.com\"]) |\n        del(.docker.[\"registry.redhat.io\"]) |\n        if (.docker == {}) then del(.docker) else . end\n      )' /etc/containers/policy.json\n)\necho \"Effective container policy:\"\nprintf '%s\\n' \"$container_policy\" | tee /etc/containers/policy.json\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\necho \"[$(date --utc -Ins)] Run the build\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  ANNOTATIONS_FILE=$(realpath \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\")\nfi\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILD_ARGS_FILE=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nsecurity_args=(--security-opts unmask=/proc/interrupts)\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  security_args+=(--security-opts label=disable)\n  security_args+=(--cap-add all)\n  security_args+=(--devices /dev/fuse)\nfi\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  security_args+=(--cap-add \"${ADD_CAPABILITIES}\")\nfi\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  prefetch_dir=\"/workspace/source/cachi2\"\n  # KBC defaults to ${prefetch_dir}/copy-*\n  # Copy to a sibling dir instead in case we don't have write permissions to the prefetch_dir.\n  # It's still on the same filesystem, so copying via reflinks should be possible.\n  prefetch_dir_copy=\"/workspace/source/prefetch-copy\"\nelse\n  prefetch_dir=\"\"\n  prefetch_dir_copy=\"\"\nfi\n\nyum_repos_d_sources=()\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  yum_repos_d_sources+=(\"${YUM_REPOS_D_FETCHED}\")\nfi\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  yum_repos_d_sources+=(\"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\")\nfi\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 4. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    to \"/etc/pki/entitlement\" to prevent certificates from being included\nrhsm_args=()\nif [ \"${HERMETIC}\" != \"true\" ]; then\n  if [ -e /activation-key/org ]; then\n    rhsm_args+=(--rhsm-activation-key=/activation-key/activationkey\n                --rhsm-org=/activation-key/org\n                --rhsm-activation-mount=/activation-key)\n\n    if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n      # user is not running registration in the Containerfile: pre-register.\n      rhsm_args+=(--rhsm-activation-preregister)\n    fi\n  elif find /entitlement -name \"*.pem\" \u003e /dev/null; then\n    rhsm_args+=(--rhsm-entitlements=/entitlement)\n  fi\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\ncmd=(\n    konflux-build-cli image build\n    -f \"$dockerfile_path\" -t \"$IMAGE\" --source \"$SOURCE_CODE_DIR\" --context \"$CONTEXT\"\n    --secret-dirs \"src=/additional-secret,name=$ADDITIONAL_SECRET,optional=true\"\n    --workdir-mount \"$WORKINGDIR_MOUNT\"\n    --target \"$TARGET_STAGE\"\n    --inherit-labels=\"$INHERIT_BASE_IMAGE_LABELS\"\n    --source-date-epoch \"$BUILDAH_SOURCE_DATE_EPOCH\"\n    --rewrite-timestamp=\"$BUILDAH_REWRITE_TIMESTAMP\"\n    --squash=\"$SQUASH\"\n    --omit-history=\"$BUILDAH_OMIT_HISTORY\"\n    --image-source \"$SOURCE_URL\"\n    --image-revision \"$COMMIT_SHA\"\n    --quay-image-expires-after \"$IMAGE_EXPIRES_AFTER\"\n    --build-args-file \"$BUILD_ARGS_FILE\"\n    --annotations-file \"$ANNOTATIONS_FILE\"\n    --legacy-build-timestamp \"$BUILD_TIMESTAMP\"\n    --add-legacy-labels\n    --include-legacy-buildinfo-path=\"$ICM_KEEP_COMPAT_LOCATION\"\n    --skip-injections=\"$SKIP_INJECTIONS\"\n    --skip-unused-stages=\"$SKIP_UNUSED_STAGES\"\n    --hermetic=\"$HERMETIC\"\n    --image-pull-proxy \"$BUILDAH_HTTP_PROXY\"\n    --image-pull-noproxy \"$BUILDAH_NO_PROXY\"\n    --yum-repos-d-sources \"${yum_repos_d_sources[@]}\"\n    --yum-repos-d-target \"$YUM_REPOS_D_TARGET\"\n    --prefetch-dir \"$prefetch_dir\"\n    --prefetch-dir-copy \"$prefetch_dir_copy\"\n    --prefetch-env-mount /cachi2/cachi2.env\n    --prefetch-output-mount /cachi2/output\n    \"${security_args[@]}\"\n    \"${rhsm_args[@]}\"\n    --containerfile-json-output /shared/parsed_dockerfile.json\n    --resolved-base-images-output /shared/base_images_digests\n    --no-cache\n    --ulimits nofile=4096:4096\n    --src-tls-verify=\"$TLSVERIFY\"\n    --dest-tls-verify=\"$TLSVERIFY\"\n    --allow-cross-platform-images=\"$ALLOW_CROSS_PLATFORM_IMAGES\"\n    \"$@\"  # --annotations, --labels, --envs, --build-args\n)\n\necho \"[$(date --utc -Ins)] $(printf '%q ' \"${cmd[@]}\")\"\n\n\"${cmd[@]}\"\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"${prefetch_dir}/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp \"${prefetch_dir}/output/bom.json\" ./sbom-prefetch.json\nfi\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci:$IMAGE\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "buildah-demo-eqavofstwy-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli:latest@sha256:7881de18a51416bb20548a23897225a14f4301c78663531d8c78b7f8af249747",
                            "name": "push",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.2.1-1782136886@sha256:1374bc35c71781987cce00ef5efe2be42923f83def19b60a570e947189b90d15",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "chains.tekton.dev/signed": "true",
                    "kueue.konflux-ci.dev/requests-konflux-ci-dev-token": "1",
                    "pipeline.tekton.dev/release": "b150ab2dbe70ef4c9d499e6bf5dcf5738b5a591b",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "chains-e2e-ktby/results/5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c/records/e53ff8eb-f507-414c-8bf0-2e42990571fd",
                    "results.tekton.dev/result": "chains-e2e-ktby/results/5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-43684cb1f5099b2bb96c1c19ac4a17f4-5630d65ec5348881-01\"}"
                },
                "creationTimestamp": "2026-06-29T22:36:38Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "app.kubernetes.io/version": "0.3",
                    "kueue.x-k8s.io/priority-class": "konflux-default",
                    "kueue.x-k8s.io/queue-name": "pipelines-queue",
                    "pipelines.openshift.io/runtime": "generic",
                    "pipelines.openshift.io/strategy": "docker",
                    "pipelines.openshift.io/used-by": "build-cloud",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "docker-build",
                    "tekton.dev/pipelineRun": "buildah-demo-eqavofstwy",
                    "tekton.dev/pipelineRunUID": "5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index"
                },
                "name": "buildah-demo-eqavofstwy-build-image-index",
                "namespace": "chains-e2e-ktby",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "buildah-demo-eqavofstwy",
                        "uid": "5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c"
                    }
                ],
                "resourceVersion": "53302",
                "uid": "e53ff8eb-f507-414c-8bf0-2e42990571fd"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "podTemplate": {
                    "nodeSelector": {
                        "konflux-ci.dev/workload": "konflux-tenants"
                    },
                    "tolerations": [
                        {
                            "effect": "NoSchedule",
                            "key": "konflux-ci.dev/workload",
                            "operator": "Equal",
                            "value": "konflux-tenants"
                        }
                    ]
                },
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.3@sha256:0b4251ea0fab38be2b1441bea2788220d4cf2963ffb854a0ed90992fbabbe122"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "2h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-06-29T22:37:23Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-06-29T22:37:23Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "buildah-demo-eqavofstwy-build-image-index-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "alpha",
                        "enableParamEnum": true,
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "0b4251ea0fab38be2b1441bea2788220d4cf2963ffb854a0ed90992fbabbe122"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/test-images@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/test-images@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy"
                    }
                ],
                "spanContext": {
                    "traceparent": "00-43684cb1f5099b2bb96c1c19ac4a17f4-5630d65ec5348881-01"
                },
                "startTime": "2026-06-29T22:36:38Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://1efb7cbe0df07679c179fabb7c7ed2fc186d716797dcdd325709507f71813909",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:37:19Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/test-images@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/test-images@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:37:17Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:135eec87fe80d0751a1ea5e8e47b240147b25ee9a41973cae365540d2e2ee473",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://40352dd32a6b5757c9754c061af734d35cc8bd2a17c44bc07b2268ba031b04fd",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:37:20Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/test-images@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/test-images@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:37:20Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://6f03202323dfa9679d886da61de841e3fabe4c9b1b268ee9e11f778209d3fc33",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:37:22Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/test-images@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/test-images@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:37:20Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-build-cli:latest@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\n\necho \"Running konflux-build-cli\"\nif ! konflux-build-cli image build-image-index \\\n  --image \"$IMAGE\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --buildah-format \"$BUILDAH_FORMAT\" \\\n  --always-build-index=\"$ALWAYS_BUILD_INDEX\" \\\n  --additional-tags \"buildah-demo-eqavofstwy-build-image-index\" \\\n  --output-manifest-path \"$MANIFEST_DATA_FILE\" \\\n  --result-path-image-digest \"/tekton/results/IMAGE_DIGEST\" \\\n  --result-path-image-url \"/tekton/results/IMAGE_URL\" \\\n  --result-path-image-ref \"/tekton/results/IMAGE_REF\" \\\n  --result-path-images \"/tekton/results/IMAGES\" \\\n  --images \"$@\"; then\n  echo \"Failed to build image index\"\n  exit 1\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.2.1-1782136886@sha256:1374bc35c71781987cce00ef5efe2be42923f83def19b60a570e947189b90d15",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "chains.tekton.dev/signed": "true",
                    "kueue.konflux-ci.dev/requests-konflux-ci-dev-token": "1",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-3625d6287f",
                    "pipeline.tekton.dev/release": "b150ab2dbe70ef4c9d499e6bf5dcf5738b5a591b",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "chains-e2e-ktby/results/5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c/records/09bc291d-b113-495f-a10d-871e0fa6ccde",
                    "results.tekton.dev/result": "chains-e2e-ktby/results/5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-43684cb1f5099b2bb96c1c19ac4a17f4-a6283d8ef06ded93-01\"}"
                },
                "creationTimestamp": "2026-06-29T22:34:00Z",
                "finalizers": [
                    "results.tekton.dev/taskrun",
                    "chains.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "app.kubernetes.io/version": "0.2.1",
                    "kueue.x-k8s.io/priority-class": "konflux-default",
                    "kueue.x-k8s.io/queue-name": "pipelines-queue",
                    "pipelines.openshift.io/runtime": "generic",
                    "pipelines.openshift.io/strategy": "docker",
                    "pipelines.openshift.io/used-by": "build-cloud",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "docker-build",
                    "tekton.dev/pipelineRun": "buildah-demo-eqavofstwy",
                    "tekton.dev/pipelineRunUID": "5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone"
                },
                "name": "buildah-demo-eqavofstwy-clone-repository",
                "namespace": "chains-e2e-ktby",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "buildah-demo-eqavofstwy",
                        "uid": "5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c"
                    }
                ],
                "resourceVersion": "50803",
                "uid": "09bc291d-b113-495f-a10d-871e0fa6ccde"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/conforma/golden-container.git"
                    },
                    {
                        "name": "revision",
                        "value": ""
                    }
                ],
                "podTemplate": {
                    "nodeSelector": {
                        "konflux-ci.dev/workload": "konflux-tenants"
                    },
                    "tolerations": [
                        {
                            "effect": "NoSchedule",
                            "key": "konflux-ci.dev/workload",
                            "operator": "Equal",
                            "value": "konflux-tenants"
                        }
                    ]
                },
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.2@sha256:4b5a4e1f2bedd121810c6cec84515251f7d648a67f8847fb4d8288aed4411010"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "2h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "app-studio-default-workspace"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-06-29T22:34:28Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-06-29T22:34:28Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "buildah-demo-eqavofstwy-clone-repository-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "alpha",
                        "enableParamEnum": true,
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "4b5a4e1f2bedd121810c6cec84515251f7d648a67f8847fb4d8288aed4411010"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "1170f583db17b9db20e993f89d6907dab9acc06f"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/conforma/golden-container.git"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "1170f583db17b9db20e993f89d6907dab9acc06f"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1743528558"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "1170f58"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/conforma/golden-container.git"
                    }
                ],
                "spanContext": {
                    "traceparent": "00-43684cb1f5099b2bb96c1c19ac4a17f4-a6283d8ef06ded93-01"
                },
                "startTime": "2026-06-29T22:34:00Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b960a0972b6628b13b4fb4e803e16c427f0066f079a0d2cba6d47d81750a9eaa",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://ee3919092d28836d9e3797a73b7ecddce61c896cce85e0082528fa6bf406a688",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:34:27Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"1170f583db17b9db20e993f89d6907dab9acc06f\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/conforma/golden-container.git\",\"type\":1},{\"key\":\"commit\",\"value\":\"1170f583db17b9db20e993f89d6907dab9acc06f\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1743528558\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"1170f58\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/conforma/golden-container.git\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:34:25Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched. Empty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Minimum length of the short commit SHA. Git may return a longer prefix if needed for uniqueness.",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level for the git-clone command.",
                            "name": "logLevel",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "Abbreviated commit SHA for the checkout. At least params.shortCommitLength characters; longer if Git requires more for uniqueness.",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "2Gi"
                                },
                                "requests": {
                                    "cpu": "350m",
                                    "memory": "2Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_GIT_CLONE_URL",
                                    "value": "https://github.com/conforma/golden-container.git"
                                },
                                {
                                    "name": "KBC_GIT_CLONE_REVISION"
                                },
                                {
                                    "name": "KBC_GIT_CLONE_REFSPEC"
                                },
                                {
                                    "name": "KBC_GIT_CLONE_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "KBC_GIT_CLONE_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "KBC_GIT_CLONE_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "KBC_GIT_CLONE_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "KBC_GIT_CLONE_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "KBC_GIT_CLONE_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "KBC_GIT_CLONE_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "KBC_GIT_CLONE_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "KBC_GIT_CLONE_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "KBC_GIT_CLONE_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "KBC_GIT_CLONE_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "KBC_GIT_CLONE_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "KBC_GIT_CLONE_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "KBC_GIT_CLONE_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "KBC_GIT_CLONE_OUTPUT_DIR",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "KBC_GIT_CLONE_BASIC_AUTH_DIRECTORY"
                                },
                                {
                                    "name": "KBC_GIT_CLONE_SSH_DIRECTORY"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli:latest@sha256:b960a0972b6628b13b4fb4e803e16c427f0066f079a0d2cba6d47d81750a9eaa",
                            "name": "clone",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf \"$ca_bundle\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\nRESULT_FILE=\"$(mktemp)\"\nkonflux-build-cli git-clone \u003e \"${RESULT_FILE}\"\n\nprintf \"%s\" \"$(jq -r '.commit' \"${RESULT_FILE}\")\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"$(jq -r '.shortCommit' \"${RESULT_FILE}\")\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"$(jq -r '.url' \"${RESULT_FILE}\")\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"$(jq -r '.commitTimestamp' \"${RESULT_FILE}\")\" \u003e \"/tekton/results/commit-timestamp\"\nprintf \"%s\" \"$(jq -r '.\"CHAINS-GIT_URL\"' \"${RESULT_FILE}\")\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(jq -r '.\"CHAINS-GIT_COMMIT\"' \"${RESULT_FILE}\")\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\n\nMERGED_SHA=$(jq -r '.mergedSha // empty' \"${RESULT_FILE}\")\nif [ -n \"${MERGED_SHA}\" ]; then\n  printf \"%s\" \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "chains.tekton.dev/signed": "true",
                    "kueue.konflux-ci.dev/requests-konflux-ci-dev-token": "1",
                    "pipeline.tekton.dev/release": "b150ab2dbe70ef4c9d499e6bf5dcf5738b5a591b",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "chains-e2e-ktby/results/5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c/records/81f76319-c7fc-4224-a1e5-8722322fcb0f",
                    "results.tekton.dev/result": "chains-e2e-ktby/results/5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-43684cb1f5099b2bb96c1c19ac4a17f4-7231fe85c07e3ad8-01\"}"
                },
                "creationTimestamp": "2026-06-29T22:33:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "app.kubernetes.io/version": "0.4.2",
                    "kueue.x-k8s.io/priority-class": "konflux-default",
                    "kueue.x-k8s.io/queue-name": "pipelines-queue",
                    "pipelines.openshift.io/runtime": "generic",
                    "pipelines.openshift.io/strategy": "docker",
                    "pipelines.openshift.io/used-by": "build-cloud",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "docker-build",
                    "tekton.dev/pipelineRun": "buildah-demo-eqavofstwy",
                    "tekton.dev/pipelineRunUID": "5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init"
                },
                "name": "buildah-demo-eqavofstwy-init",
                "namespace": "chains-e2e-ktby",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "buildah-demo-eqavofstwy",
                        "uid": "5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c"
                    }
                ],
                "resourceVersion": "50413",
                "uid": "81f76319-c7fc-4224-a1e5-8722322fcb0f"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "podTemplate": {
                    "nodeSelector": {
                        "konflux-ci.dev/workload": "konflux-tenants"
                    },
                    "tolerations": [
                        {
                            "effect": "NoSchedule",
                            "key": "konflux-ci.dev/workload",
                            "operator": "Equal",
                            "value": "konflux-tenants"
                        }
                    ]
                },
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4.2@sha256:421003a5c077ecb820460e71637125ec9093d2101c749a32ede28e190283e9db"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "2h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-06-29T22:34:00Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-06-29T22:34:00Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "buildah-demo-eqavofstwy-init-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "alpha",
                        "enableParamEnum": true,
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "421003a5c077ecb820460e71637125ec9093d2101c749a32ede28e190283e9db"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "spanContext": {
                    "traceparent": "00-43684cb1f5099b2bb96c1c19ac4a17f4-7231fe85c07e3ad8-01"
                },
                "startTime": "2026-06-29T22:33:42Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://97d355ae1772ff9b290ded52f6c94be0e57e8a127bc134fb59708a627e4b4900",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:33:59Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:33:59Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "chains.tekton.dev/signed": "true",
                    "kueue.konflux-ci.dev/requests-konflux-ci-dev-token": "1",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-3625d6287f",
                    "pipeline.tekton.dev/release": "b150ab2dbe70ef4c9d499e6bf5dcf5738b5a591b",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "chains-e2e-ktby/results/5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c/records/771bb1fe-ef5e-4fa6-b3ee-9727d5bb2059",
                    "results.tekton.dev/result": "chains-e2e-ktby/results/5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-43684cb1f5099b2bb96c1c19ac4a17f4-94a54b9e37671b41-01\"}"
                },
                "creationTimestamp": "2026-06-29T22:34:28Z",
                "finalizers": [
                    "results.tekton.dev/taskrun",
                    "chains.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "app.kubernetes.io/version": "0.3.2",
                    "kueue.x-k8s.io/priority-class": "konflux-default",
                    "kueue.x-k8s.io/queue-name": "pipelines-queue",
                    "pipelines.openshift.io/runtime": "generic",
                    "pipelines.openshift.io/strategy": "docker",
                    "pipelines.openshift.io/used-by": "build-cloud",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "docker-build",
                    "tekton.dev/pipelineRun": "buildah-demo-eqavofstwy",
                    "tekton.dev/pipelineRunUID": "5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies"
                },
                "name": "buildah-demo-eqavofstwy-prefetch-dependencies",
                "namespace": "chains-e2e-ktby",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "buildah-demo-eqavofstwy",
                        "uid": "5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c"
                    }
                ],
                "resourceVersion": "51078",
                "uid": "771bb1fe-ef5e-4fa6-b3ee-9727d5bb2059"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    },
                    {
                        "name": "enable-package-registry-proxy",
                        "value": "true"
                    }
                ],
                "podTemplate": {
                    "nodeSelector": {
                        "konflux-ci.dev/workload": "konflux-tenants"
                    },
                    "tolerations": [
                        {
                            "effect": "NoSchedule",
                            "key": "konflux-ci.dev/workload",
                            "operator": "Equal",
                            "value": "konflux-tenants"
                        }
                    ]
                },
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:d0b4afa12ab44316eb7d34c837981068dcbbc06343ecabf8f38657375abe29b3"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "2h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "app-studio-default-workspace"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-06-29T22:34:44Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-06-29T22:34:44Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "buildah-demo-eqavofstwy-prefetch-dependencies-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "alpha",
                        "enableParamEnum": true,
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d0b4afa12ab44316eb7d34c837981068dcbbc06343ecabf8f38657375abe29b3"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "spanContext": {
                    "traceparent": "00-43684cb1f5099b2bb96c1c19ac4a17f4-94a54b9e37671b41-01"
                },
                "startTime": "2026-06-29T22:34:28Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:27936b01262824104cce87d433ffcb622bf906bc833033b6b05c62257f3c3232",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://708bf331e1be7d4b91165311ed9ea650e6448775224b4081ffe053fbe899df05",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:34:44Z",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:34:40Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "service-ca.crt",
                            "description": "The name of the key in the ConfigMap that contains the service CA bundle data. Used to verify TLS connections to in-cluster services such as the package registry proxy.",
                            "name": "SERVICE_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "openshift-service-ca.crt",
                            "description": "The name of the ConfigMap to read service CA bundle data from. Used to verify TLS connections to in-cluster services such as the package registry proxy.",
                            "name": "SERVICE_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Use the package registry proxy when prefetching dependencies",
                            "name": "enable-package-registry-proxy",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "imagePullPolicy": "IfNotPresent"
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILES",
                                    "value": "/workspace/source/cachi2/cachi2.env /workspace/source/cachi2/prefetch.env /workspace/source/cachi2/prefetch-env.json"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                },
                                {
                                    "name": "KBC_PD_ENABLE_PACKAGE_REGISTRY_PROXY",
                                    "value": "true"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.55.0@sha256:27936b01262824104cce87d433ffcb622bf906bc833033b6b05c62257f3c3232",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nSERVICE_CA_BUNDLE_PATH=/mnt/service-ca/ca-bundle.crt\nUPDATE_CA_TRUST=false\n\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  echo \"Using mounted CA bundle: $CA_BUNDLE_PATH\"\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  UPDATE_CA_TRUST=true\nfi\n\nif [ -f \"$SERVICE_CA_BUNDLE_PATH\" ]; then\n  echo \"Using mounted service CA bundle: $SERVICE_CA_BUNDLE_PATH\"\n  cp -vf \"$SERVICE_CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/service-ca.crt\n  UPDATE_CA_TRUST=true\nfi\n\nif [ \"$UPDATE_CA_TRUST\" = \"true\" ]; then\n  update-ca-trust\n  # requests ignores the system CA store. Set REQUESTS_CA_BUNDLE explicitly.\n  export REQUESTS_CA_BUNDLE=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/service-ca",
                                    "name": "service-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "service-ca.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "openshift-service-ca.crt",
                                "optional": true
                            },
                            "name": "service-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "chains.tekton.dev/signed": "true",
                    "kueue.konflux-ci.dev/requests-konflux-ci-dev-token": "1",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-3625d6287f",
                    "pipeline.tekton.dev/release": "b150ab2dbe70ef4c9d499e6bf5dcf5738b5a591b",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "chains-e2e-ktby/results/5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c/records/a94c8d2c-cd2c-4ac9-afd0-2a4200d2f053",
                    "results.tekton.dev/result": "chains-e2e-ktby/results/5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-43684cb1f5099b2bb96c1c19ac4a17f4-805e85236981b0e3-01\"}"
                },
                "creationTimestamp": "2026-06-29T22:37:23Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "app.kubernetes.io/version": "0.3.1",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "kueue.x-k8s.io/priority-class": "konflux-default",
                    "kueue.x-k8s.io/queue-name": "pipelines-queue",
                    "pipelines.openshift.io/runtime": "generic",
                    "pipelines.openshift.io/strategy": "docker",
                    "pipelines.openshift.io/used-by": "build-cloud",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "docker-build",
                    "tekton.dev/pipelineRun": "buildah-demo-eqavofstwy",
                    "tekton.dev/pipelineRunUID": "5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile"
                },
                "name": "buildah-demo-eqavofstwy-push-dockerfile",
                "namespace": "chains-e2e-ktby",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "buildah-demo-eqavofstwy",
                        "uid": "5d81fa56-c1fa-4dcd-a0ce-bbe546fe0c6c"
                    }
                ],
                "resourceVersion": "53650",
                "uid": "a94c8d2c-cd2c-4ac9-afd0-2a4200d2f053"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Containerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    }
                ],
                "podTemplate": {
                    "nodeSelector": {
                        "konflux-ci.dev/workload": "konflux-tenants"
                    },
                    "tolerations": [
                        {
                            "effect": "NoSchedule",
                            "key": "konflux-ci.dev/workload",
                            "operator": "Equal",
                            "value": "konflux-tenants"
                        }
                    ]
                },
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:63b5704945accd668406746c95c314e21f861667dc083cff8194de4cc9085910"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "2h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "app-studio-default-workspace"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-06-29T22:37:51Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-06-29T22:37:51Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "buildah-demo-eqavofstwy-push-dockerfile-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "alpha",
                        "enableParamEnum": true,
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "63b5704945accd668406746c95c314e21f861667dc083cff8194de4cc9085910"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/test-images@sha256:147969863d7a5aa5411e88735a8a7251b694ccabf12c1d9fa551a053f4874836"
                    }
                ],
                "spanContext": {
                    "traceparent": "00-43684cb1f5099b2bb96c1c19ac4a17f4-805e85236981b0e3-01"
                },
                "startTime": "2026-06-29T22:37:23Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://13b33f1cf149c3b66837414ba011d74c92f964a365391ff275de87a4c929d272",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:37:51Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/test-images@sha256:147969863d7a5aa5411e88735a8a7251b694ccabf12c1d9fa551a053f4874836\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:37:50Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                ".",
                                "--containerfile",
                                "Containerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy",
                                "--image-digest",
                                "sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "chains.tekton.dev/signed": "true",
                    "kueue.konflux-ci.dev/requests-konflux-ci-dev-token": "1",
                    "pipeline.tekton.dev/release": "b150ab2dbe70ef4c9d499e6bf5dcf5738b5a591b",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "chains-e2e-ktby/results/0110ca6d-4a36-494e-94fb-44eca4df632d/records/71286e83-2f18-4886-8b5d-40a3bad64566",
                    "results.tekton.dev/result": "chains-e2e-ktby/results/0110ca6d-4a36-494e-94fb-44eca4df632d",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/displayName": "Verify Enterprise Contract",
                    "tekton.dev/pipelines.minVersion": "0.19",
                    "tekton.dev/tags": "ec, chains, signature, conftest",
                    "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-58af2177f6c9a6ed4af9bcf7d0769ca8-e29162045e838e69-01\"}"
                },
                "creationTimestamp": "2026-06-29T22:39:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "app.kubernetes.io/version": "0.1",
                    "appstudio.openshift.io/application": "",
                    "kueue.x-k8s.io/priority-class": "konflux-default",
                    "kueue.x-k8s.io/queue-name": "pipelines-queue",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "verify-enterprise-contract-run",
                    "tekton.dev/pipelineRun": "verify-enterprise-contract-run-b2f8m",
                    "tekton.dev/pipelineRunUID": "0110ca6d-4a36-494e-94fb-44eca4df632d",
                    "tekton.dev/pipelineTask": "verify-enterprise-contract",
                    "tekton.dev/task": "verify-enterprise-contract"
                },
                "name": "verify-enterprise-contract-run-b2f8m-verify-enterprise-contract",
                "namespace": "chains-e2e-ktby",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "verify-enterprise-contract-run-b2f8m",
                        "uid": "0110ca6d-4a36-494e-94fb-44eca4df632d"
                    }
                ],
                "resourceVersion": "55614",
                "uid": "71286e83-2f18-4886-8b5d-40a3bad64566"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGES",
                        "value": "{\"application\":\"\",\"componentGroup\":\"\",\"components\":[{\"name\":\"\",\"version\":\"\",\"containerImage\":\"quay.io/konflux-ci/ec-golden-image:latest\",\"source\":{}},{\"name\":\"\",\"version\":\"\",\"containerImage\":\"quay.io/konflux-ci/ec-golden-image:e2e-test-unacceptable-task\",\"source\":{}}],\"artifacts\":{}}"
                    },
                    {
                        "name": "POLICY_CONFIGURATION",
                        "value": "ec-policy"
                    },
                    {
                        "name": "PUBLIC_KEY",
                        "value": "k8s://chains-e2e-ktby/golden-image-public-keyziscanohqm"
                    },
                    {
                        "name": "SSL_CERT_DIR",
                        "value": "/var/run/secrets/kubernetes.io/serviceaccount"
                    },
                    {
                        "name": "STRICT",
                        "value": "true"
                    },
                    {
                        "name": "EFFECTIVE_TIME",
                        "value": "now"
                    },
                    {
                        "name": "IGNORE_REKOR",
                        "value": "true"
                    }
                ],
                "podTemplate": {
                    "nodeSelector": {
                        "konflux-ci.dev/workload": "konflux-tenants"
                    },
                    "tolerations": [
                        {
                            "effect": "NoSchedule",
                            "key": "konflux-ci.dev/workload",
                            "operator": "Equal",
                            "value": "konflux-tenants"
                        }
                    ]
                },
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "verify-enterprise-contract"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/conforma/tekton-task:kf-b345847182602d9a5ce9e957fa76fe02575c8018@sha256:7df8d121c09999d0376e189c1eb8a8263078aab697aa5ee966512f581427a6ce"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "2h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-06-29T22:39:34Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-06-29T22:39:34Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "verify-enterprise-contract-159cc5bc7a3a4686a14e2a7a99f0302f-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "alpha",
                        "enableParamEnum": true,
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7df8d121c09999d0376e189c1eb8a8263078aab697aa5ee966512f581427a6ce"
                        },
                        "entryPoint": "verify-enterprise-contract",
                        "uri": "quay.io/conforma/tekton-task"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782772773\",\"namespace\":\"\",\"successes\":84,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\"}\n"
                    }
                ],
                "spanContext": {
                    "traceparent": "00-58af2177f6c9a6ed4af9bcf7d0769ca8-e29162045e838e69-01"
                },
                "startTime": "2026-06-29T22:39:16Z",
                "steps": [
                    {
                        "container": "step-initialize-tuf",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "initialize-tuf",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://be9d6a33e42e7e752c81f8a622a44162d8157d7cc261da02232e20a7302158c8",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:22Z",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:22Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-reduce",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "reduce",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://942446d1f9bf7bcb6e5252a4db725ddfef8b22647c91f69f5ca3c4a0e4e178a4",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:22Z",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:22Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-validate",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "validate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://d923d48068e186fbe447d4f5a2cb9a395bc3b15c70b82a0fc6efd09c314a0d91",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:33Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772773\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":84,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:22Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-report-json",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "report-json",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://33c9a526d2c65d3fdfe3e74cd2ea8cde00bab7248f625b7f736077c79f0a2d6d",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:33Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772773\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":84,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-summary",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "summary",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://fb7957f3939d5294725a3cc9867e079550b4ce3238faa1660b5f183a11d6aaec",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:33Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772773\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":84,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-version",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "version",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://861a74b92b1f9516cd8fea3730c97277feb7b969e2b60f1e5eddb205b3213c6a",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:33Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772773\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":84,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-show-config",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "show-config",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://c499825c6f78eafb7d795dcca98c1c556769781d75e06c4b1c185478a52f472c",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:33Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772773\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":84,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-detailed-report",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "detailed-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://3236805658ed0df796272fee9484fa3dac104d04f2ef159bb4b9903a0cfe4d3b",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:33Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772773\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":84,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-assert",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "assert",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://8e2873b12fb8bd65f2e6abd858b8342c7deb6b799f78c44872f2342e91b89490",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:34Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772773\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":84,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:34Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Verify the enterprise contract is met",
                    "params": [
                        {
                            "description": "Spec section of an ApplicationSnapshot resource. Not all fields of the\nresource are required. A minimal example:\n\n```json\n  {\n    \"components\": [\n      {\n        \"containerImage\": \"quay.io/example/repo:latest\"\n      }\n    ]\n  }\n```\n\nEach `containerImage` in the `components` array is validated.\n",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "default": "enterprise-contract-service/default",
                            "description": "Name of the policy configuration (EnterpriseContractPolicy\nresource) to use. `namespace/name` or `name` syntax supported. If\nnamespace is omitted the namespace where the task runs is used.\nYou can also specify a policy configuration using a git url, e.g.\n`github.com/conforma/config//slsa3`.\n",
                            "name": "POLICY_CONFIGURATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Public key used to verify traditional long-lived signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute. Required for traditional signing key verification. Will be ignored if any of CERTIFICATE_IDENTITY, CERTIFICATE_IDENTITY_REGEXP, CERTIFICATE_OIDC_ISSUER, or CERTIFICATE_OIDC_ISSUER_REGEXP are provided.",
                            "name": "PUBLIC_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Rekor host for transparency log lookups",
                            "name": "REKOR_HOST",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Expected identity in the signing certificate for keyless verification. This should be the email or URI that was used when signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.",
                            "name": "CERTIFICATE_IDENTITY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Expected OIDC issuer in the signing certificate for keyless verification. This should match the issuer that provided the identity token used for signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.",
                            "name": "CERTIFICATE_OIDC_ISSUER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Similar to CERTIFICATE_IDENTITY but the value is a regexp that will be matched. Note that CERTIFICATE_IDENTITY takes precedence over this if both are present.",
                            "name": "CERTIFICATE_IDENTITY_REGEXP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Similar to CERTIFICATE_OIDC_ISSUER but a regexp that will be matched. Note that CERTIFICATE_OIDC_ISSUER takes precedence over this if both are present.",
                            "name": "CERTIFICATE_OIDC_ISSUER_REGEXP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip Rekor transparency log checks during validation. Compatible with traditional signing secret signature checks only. If any of the CERTIFICATE_* keyless verification params are present, this value is disregarded and Rekor transparency log checks are included.",
                            "name": "IGNORE_REKOR",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "TUF mirror URL. Provide a value when NOT using public sigstore deployment.",
                            "name": "TUF_MIRROR",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Path to a directory containing SSL certs to be used when communicating\nwith external services. This is useful when using the integrated registry\nand a local instance of Rekor on a development cluster which may use\ncertificates issued by a not-commonly trusted root CA. In such cases,\n`/var/run/secrets/kubernetes.io/serviceaccount` is a good value. Multiple\npaths can be provided by using the `:` separator.\n",
                            "name": "SSL_CERT_DIR",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIGMAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Include rule titles and descriptions in the output. Set to `\"false\"` to disable it.",
                            "name": "INFO",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Fail the task if policy fails. Set to `\"false\"` to disable it.",
                            "name": "STRICT",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Value for the HOME environment variable.",
                            "name": "HOMEDIR",
                            "type": "string"
                        },
                        {
                            "default": "now",
                            "description": "Run policy checks with the provided time.",
                            "name": "EFFECTIVE_TIME",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Merge additional Rego variables into the policy data. Use syntax \"key=value,key2=value2...\"",
                            "name": "EXTRA_RULE_DATA",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Number of parallel workers to use for policy evaluation.",
                            "name": "WORKERS",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Reduce the Snapshot to only the component whose build caused the Snapshot to be created",
                            "name": "SINGLE_COMPONENT",
                            "type": "string"
                        },
                        {
                            "default": "unknown",
                            "description": "Name, including kind, of the Kubernetes resource to query for labels when single component mode is enabled, e.g. pr/somepipeline.\n",
                            "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Kubernetes namespace where the SINGLE_COMPONENT_NAME is found. Only used when single component mode is enabled.\n",
                            "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE_NS",
                            "type": "string"
                        },
                        {
                            "default": "1s",
                            "description": "Base duration for exponential backoff calculation (e.g., \"1s\", \"500ms\")",
                            "name": "RETRY_DURATION",
                            "type": "string"
                        },
                        {
                            "default": "2.0",
                            "description": "Exponential backoff multiplier (e.g., \"2.0\", \"1.5\")",
                            "name": "RETRY_FACTOR",
                            "type": "string"
                        },
                        {
                            "default": "0.1",
                            "description": "Randomness factor for backoff calculation (0.0-1.0, e.g., \"0.1\", \"0.2\")",
                            "name": "RETRY_JITTER",
                            "type": "string"
                        },
                        {
                            "default": "3",
                            "description": "Maximum number of retry attempts",
                            "name": "RETRY_MAX_RETRY",
                            "type": "string"
                        },
                        {
                            "default": "3s",
                            "description": "Maximum wait time between retries (e.g., \"3s\", \"10s\")",
                            "name": "RETRY_MAX_WAIT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Short summary of the policy evaluation for each image",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "HOME",
                                "value": "/tekton/home"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "sigstore",
                                "initialize",
                                "--mirror",
                                "",
                                "--root",
                                "/root.json"
                            ],
                            "command": [
                                "ec"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "initialize-tuf",
                            "when": [
                                {
                                    "operator": "notin",
                                    "values": [
                                        ""
                                    ]
                                }
                            ]
                        },
                        {
                            "command": [
                                "reduce-snapshot.sh"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNAPSHOT",
                                    "value": "{\"application\":\"\",\"componentGroup\":\"\",\"components\":[{\"name\":\"\",\"version\":\"\",\"containerImage\":\"quay.io/konflux-ci/ec-golden-image:latest\",\"source\":{}},{\"name\":\"\",\"version\":\"\",\"containerImage\":\"quay.io/konflux-ci/ec-golden-image:e2e-test-unacceptable-task\",\"source\":{}}],\"artifacts\":{}}"
                                },
                                {
                                    "name": "SINGLE_COMPONENT",
                                    "value": "false"
                                },
                                {
                                    "name": "CUSTOM_RESOURCE",
                                    "value": "unknown"
                                },
                                {
                                    "name": "CUSTOM_RESOURCE_NAMESPACE"
                                },
                                {
                                    "name": "SNAPSHOT_PATH",
                                    "value": "/tekton/home/snapshot.json"
                                }
                            ],
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "reduce",
                            "onError": "continue"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "2Gi"
                                },
                                "requests": {
                                    "cpu": "1800m",
                                    "memory": "2Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_CONFIGURATION",
                                    "value": "ec-policy"
                                },
                                {
                                    "name": "PUBLIC_KEY",
                                    "value": "k8s://chains-e2e-ktby/golden-image-public-keyziscanohqm"
                                },
                                {
                                    "name": "CERTIFICATE_IDENTITY"
                                },
                                {
                                    "name": "CERTIFICATE_OIDC_ISSUER"
                                },
                                {
                                    "name": "CERTIFICATE_IDENTITY_REGEXP"
                                },
                                {
                                    "name": "CERTIFICATE_OIDC_ISSUER_REGEXP"
                                },
                                {
                                    "name": "REKOR_HOST"
                                },
                                {
                                    "name": "IGNORE_REKOR",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKERS",
                                    "value": "1"
                                },
                                {
                                    "name": "INFO",
                                    "value": "true"
                                },
                                {
                                    "name": "EFFECTIVE_TIME",
                                    "value": "now"
                                },
                                {
                                    "name": "EXTRA_RULE_DATA"
                                },
                                {
                                    "name": "RETRY_MAX_WAIT",
                                    "value": "3s"
                                },
                                {
                                    "name": "RETRY_MAX_RETRY",
                                    "value": "3"
                                },
                                {
                                    "name": "RETRY_DURATION",
                                    "value": "1s"
                                },
                                {
                                    "name": "RETRY_FACTOR",
                                    "value": "2.0"
                                },
                                {
                                    "name": "RETRY_JITTER",
                                    "value": "0.1"
                                },
                                {
                                    "name": "HOMEDIR",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "SSL_CERT_DIR",
                                    "value": "/tekton-custom-certs:/etc/ssl/certs:/etc/pki/tls/certs:/system/etc/security/cacerts:/var/run/secrets/kubernetes.io/serviceaccount"
                                }
                            ],
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "validate",
                            "onError": "continue",
                            "script": "#!/bin/bash\nset -euo pipefail\n\ncmd_args=(\n  validate\n  image\n  --images=\"${HOMEDIR}/snapshot.json\"\n  --policy=\"${POLICY_CONFIGURATION}\"\n)\n\n# To keep bash logic as thin as possible we deliberately don't sanitize\n# these params. If something is wrong or missing let Conforma handle it.\n\nif [ -n \"${CERTIFICATE_IDENTITY}\" ] || \\\n   [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ] || \\\n   [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ] || \\\n   [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n  # If *any* of the above are non-empty assume the intention is to\n  # try keyless verification\n\n  if [ -n \"${CERTIFICATE_IDENTITY}\" ]; then\n    cmd_args+=(\n      --certificate-identity=\"${CERTIFICATE_IDENTITY}\"\n    )\n  elif [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ]; then\n    cmd_args+=(\n      --certificate-identity-regexp=\"${CERTIFICATE_IDENTITY_REGEXP}\"\n    )\n  fi\n\n  if [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ]; then\n    cmd_args+=(\n      --certificate-oidc-issuer=\"${CERTIFICATE_OIDC_ISSUER}\"\n    )\n  elif [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n    cmd_args+=(\n      --certificate-oidc-issuer-regexp=\"${CERTIFICATE_OIDC_ISSUER_REGEXP}\"\n    )\n  fi\n\n  # Force --ignore-rekor to false since we need rekor\n  cmd_args+=(\n    --ignore-rekor=false\n  )\nelse\n  # Assume traditional signing secret verification\n  cmd_args+=(\n    --public-key=\"${PUBLIC_KEY}\"\n    --ignore-rekor=\"${IGNORE_REKOR}\"\n  )\nfi\n\ncmd_args+=(\n  --rekor-url=\"${REKOR_HOST}\"\n  --workers=\"${WORKERS}\"\n  --info=\"${INFO}\"\n  --timeout=0\n  --strict=false\n  --show-successes=true\n  --show-policy-docs-link=true\n  --effective-time=\"${EFFECTIVE_TIME}\"\n  --extra-rule-data=\"${EXTRA_RULE_DATA}\"\n  --retry-max-wait=\"${RETRY_MAX_WAIT}\"\n  --retry-max-retry=\"${RETRY_MAX_RETRY}\"\n  --retry-duration=\"${RETRY_DURATION}\"\n  --retry-factor=\"${RETRY_FACTOR}\"\n  --retry-jitter=\"${RETRY_JITTER}\"\n  --output=\"text=${HOMEDIR}/text-report.txt?show-successes=false\"\n  --output=\"json=${HOMEDIR}/report-json.json\"\n  --output=\"appstudio=/tekton/results/TEST_OUTPUT\"\n)\n\n\n# Execute Conforma with constructed arguments\nexec ec \"${cmd_args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "args": [
                                "jq . /tekton/home/report-json.json | awk '{gsub(/^ +/, \"\"); acc += length; if (acc \u003e= 8000) { printf \"\\n\"; acc=length } printf $0 }'"
                            ],
                            "command": [
                                "sh",
                                "-c"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "report-json",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                ".",
                                "/tekton/results/TEST_OUTPUT"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "summary",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                "version"
                            ],
                            "command": [
                                "ec"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "version"
                        },
                        {
                            "args": [
                                "{policy: .policy, key: .key, \"effective-time\": .[\"effective-time\"]}",
                                "/tekton/home/report-json.json"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "show-config"
                        },
                        {
                            "args": [
                                "/tekton/home/text-report.txt"
                            ],
                            "command": [
                                "cat"
                            ],
                            "computeResources": {},
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "detailed-report",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                "--argjson",
                                "strict",
                                "true",
                                "-e",
                                ".result == \"SUCCESS\" or .result == \"WARNING\" or ($strict | not)\n",
                                "/tekton/results/TEST_OUTPUT"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "assert"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The workspace where the snapshot spec json file resides",
                            "name": "data",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "chains.tekton.dev/signed": "true",
                    "kueue.konflux-ci.dev/requests-konflux-ci-dev-token": "1",
                    "pipeline.tekton.dev/release": "b150ab2dbe70ef4c9d499e6bf5dcf5738b5a591b",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "chains-e2e-ktby/results/62663538-610f-4165-b2fb-7efd5c5fd6be/records/af04662f-e4db-4b4e-b24c-b70652cb8fba",
                    "results.tekton.dev/result": "chains-e2e-ktby/results/62663538-610f-4165-b2fb-7efd5c5fd6be",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/displayName": "Verify Enterprise Contract",
                    "tekton.dev/pipelines.minVersion": "0.19",
                    "tekton.dev/tags": "ec, chains, signature, conftest",
                    "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-fa1590290fa8846121e0d83e571d70a2-b009ecbf2d6c2081-01\"}"
                },
                "creationTimestamp": "2026-06-29T22:39:02Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "app.kubernetes.io/version": "0.1",
                    "appstudio.openshift.io/application": "",
                    "kueue.x-k8s.io/priority-class": "konflux-default",
                    "kueue.x-k8s.io/queue-name": "pipelines-queue",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "verify-enterprise-contract-run",
                    "tekton.dev/pipelineRun": "verify-enterprise-contract-run-cqldd",
                    "tekton.dev/pipelineRunUID": "62663538-610f-4165-b2fb-7efd5c5fd6be",
                    "tekton.dev/pipelineTask": "verify-enterprise-contract",
                    "tekton.dev/task": "verify-enterprise-contract"
                },
                "name": "verify-enterprise-contract-run-cqldd-verify-enterprise-contract",
                "namespace": "chains-e2e-ktby",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "verify-enterprise-contract-run-cqldd",
                        "uid": "62663538-610f-4165-b2fb-7efd5c5fd6be"
                    }
                ],
                "resourceVersion": "55270",
                "uid": "af04662f-e4db-4b4e-b24c-b70652cb8fba"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGES",
                        "value": "{\"application\":\"\",\"componentGroup\":\"\",\"components\":[{\"name\":\"\",\"version\":\"\",\"containerImage\":\"quay.io/konflux-ci/ec-golden-image:latest\",\"source\":{}}],\"artifacts\":{}}"
                    },
                    {
                        "name": "POLICY_CONFIGURATION",
                        "value": "ec-policy"
                    },
                    {
                        "name": "PUBLIC_KEY",
                        "value": "k8s://chains-e2e-ktby/cosign-public-key"
                    },
                    {
                        "name": "SSL_CERT_DIR",
                        "value": "/var/run/secrets/kubernetes.io/serviceaccount"
                    },
                    {
                        "name": "STRICT",
                        "value": "true"
                    },
                    {
                        "name": "EFFECTIVE_TIME",
                        "value": "now"
                    },
                    {
                        "name": "IGNORE_REKOR",
                        "value": "true"
                    }
                ],
                "podTemplate": {
                    "nodeSelector": {
                        "konflux-ci.dev/workload": "konflux-tenants"
                    },
                    "tolerations": [
                        {
                            "effect": "NoSchedule",
                            "key": "konflux-ci.dev/workload",
                            "operator": "Equal",
                            "value": "konflux-tenants"
                        }
                    ]
                },
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "verify-enterprise-contract"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/conforma/tekton-task:kf-b345847182602d9a5ce9e957fa76fe02575c8018@sha256:7df8d121c09999d0376e189c1eb8a8263078aab697aa5ee966512f581427a6ce"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "2h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-06-29T22:39:15Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-06-29T22:39:15Z",
                        "message": "\"step-assert\" exited with code 1: Error",
                        "reason": "StepFailed",
                        "status": "False",
                        "type": "Succeeded"
                    }
                ],
                "podName": "verify-enterprise-contract-503b21fdcf32b6aec70c17ad0b20f4d6-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "alpha",
                        "enableParamEnum": true,
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7df8d121c09999d0376e189c1eb8a8263078aab697aa5ee966512f581427a6ce"
                        },
                        "entryPoint": "verify-enterprise-contract",
                        "uri": "quay.io/conforma/tekton-task"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782772754\",\"namespace\":\"\",\"successes\":0,\"failures\":6,\"warnings\":0,\"result\":\"FAILURE\"}\n"
                    }
                ],
                "spanContext": {
                    "traceparent": "00-fa1590290fa8846121e0d83e571d70a2-b009ecbf2d6c2081-01"
                },
                "startTime": "2026-06-29T22:39:02Z",
                "steps": [
                    {
                        "container": "step-initialize-tuf",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "initialize-tuf",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://028ea104628f33f13565343f6af141dc510ad2aac3d9ce5ee051908fcb0a5dfb",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:08Z",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:08Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-reduce",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "reduce",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://ef6266b23968d0ef38c53e46fc7bc3749baafcbcca4b7599474bd2cdee1efd48",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:08Z",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:08Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-validate",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "validate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://ab5a189c93c808f574ae73d9e87646a68e2fc030b0d721539a71a9bb0199dbda",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:14Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772754\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":0,\\\"failures\\\":6,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:08Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-report-json",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "report-json",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://8a8d56eccef7b7ad23535900aff2736c4457606f41fcde657437a013a3190561",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:14Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772754\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":0,\\\"failures\\\":6,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:14Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-summary",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "summary",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://29607eafad5187e8e7a69a10913708ba07b2e6d51e0580e6d21f36f05e1d1428",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:14Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772754\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":0,\\\"failures\\\":6,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:14Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-version",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "version",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://35070d48ae8f091d9f5227ba1c63d7923c11ff3f71a7093af215d97727654cff",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:14Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772754\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":0,\\\"failures\\\":6,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:14Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-show-config",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "show-config",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://ee3b2bcdecc3cc71402a075add5e7c45b5ac341aa7e27740ede2bda62958f9c0",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:14Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772754\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":0,\\\"failures\\\":6,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:14Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-detailed-report",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "detailed-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://507fe675245585e270109dc553c2d69d2fd019fb1148ad78ccd7f7789fdb1d67",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:14Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772754\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":0,\\\"failures\\\":6,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:14Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-assert",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "assert",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://d690a635c6285e4f10a3ceefae07dd5a2f2575dd4b1c59d17e7c08e431afc378",
                            "exitCode": 1,
                            "finishedAt": "2026-06-29T22:39:14Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772754\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":0,\\\"failures\\\":6,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Error",
                            "startedAt": "2026-06-29T22:39:14Z"
                        },
                        "terminationReason": "Error"
                    }
                ],
                "taskSpec": {
                    "description": "Verify the enterprise contract is met",
                    "params": [
                        {
                            "description": "Spec section of an ApplicationSnapshot resource. Not all fields of the\nresource are required. A minimal example:\n\n```json\n  {\n    \"components\": [\n      {\n        \"containerImage\": \"quay.io/example/repo:latest\"\n      }\n    ]\n  }\n```\n\nEach `containerImage` in the `components` array is validated.\n",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "default": "enterprise-contract-service/default",
                            "description": "Name of the policy configuration (EnterpriseContractPolicy\nresource) to use. `namespace/name` or `name` syntax supported. If\nnamespace is omitted the namespace where the task runs is used.\nYou can also specify a policy configuration using a git url, e.g.\n`github.com/conforma/config//slsa3`.\n",
                            "name": "POLICY_CONFIGURATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Public key used to verify traditional long-lived signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute. Required for traditional signing key verification. Will be ignored if any of CERTIFICATE_IDENTITY, CERTIFICATE_IDENTITY_REGEXP, CERTIFICATE_OIDC_ISSUER, or CERTIFICATE_OIDC_ISSUER_REGEXP are provided.",
                            "name": "PUBLIC_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Rekor host for transparency log lookups",
                            "name": "REKOR_HOST",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Expected identity in the signing certificate for keyless verification. This should be the email or URI that was used when signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.",
                            "name": "CERTIFICATE_IDENTITY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Expected OIDC issuer in the signing certificate for keyless verification. This should match the issuer that provided the identity token used for signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.",
                            "name": "CERTIFICATE_OIDC_ISSUER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Similar to CERTIFICATE_IDENTITY but the value is a regexp that will be matched. Note that CERTIFICATE_IDENTITY takes precedence over this if both are present.",
                            "name": "CERTIFICATE_IDENTITY_REGEXP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Similar to CERTIFICATE_OIDC_ISSUER but a regexp that will be matched. Note that CERTIFICATE_OIDC_ISSUER takes precedence over this if both are present.",
                            "name": "CERTIFICATE_OIDC_ISSUER_REGEXP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip Rekor transparency log checks during validation. Compatible with traditional signing secret signature checks only. If any of the CERTIFICATE_* keyless verification params are present, this value is disregarded and Rekor transparency log checks are included.",
                            "name": "IGNORE_REKOR",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "TUF mirror URL. Provide a value when NOT using public sigstore deployment.",
                            "name": "TUF_MIRROR",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Path to a directory containing SSL certs to be used when communicating\nwith external services. This is useful when using the integrated registry\nand a local instance of Rekor on a development cluster which may use\ncertificates issued by a not-commonly trusted root CA. In such cases,\n`/var/run/secrets/kubernetes.io/serviceaccount` is a good value. Multiple\npaths can be provided by using the `:` separator.\n",
                            "name": "SSL_CERT_DIR",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIGMAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Include rule titles and descriptions in the output. Set to `\"false\"` to disable it.",
                            "name": "INFO",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Fail the task if policy fails. Set to `\"false\"` to disable it.",
                            "name": "STRICT",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Value for the HOME environment variable.",
                            "name": "HOMEDIR",
                            "type": "string"
                        },
                        {
                            "default": "now",
                            "description": "Run policy checks with the provided time.",
                            "name": "EFFECTIVE_TIME",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Merge additional Rego variables into the policy data. Use syntax \"key=value,key2=value2...\"",
                            "name": "EXTRA_RULE_DATA",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Number of parallel workers to use for policy evaluation.",
                            "name": "WORKERS",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Reduce the Snapshot to only the component whose build caused the Snapshot to be created",
                            "name": "SINGLE_COMPONENT",
                            "type": "string"
                        },
                        {
                            "default": "unknown",
                            "description": "Name, including kind, of the Kubernetes resource to query for labels when single component mode is enabled, e.g. pr/somepipeline.\n",
                            "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Kubernetes namespace where the SINGLE_COMPONENT_NAME is found. Only used when single component mode is enabled.\n",
                            "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE_NS",
                            "type": "string"
                        },
                        {
                            "default": "1s",
                            "description": "Base duration for exponential backoff calculation (e.g., \"1s\", \"500ms\")",
                            "name": "RETRY_DURATION",
                            "type": "string"
                        },
                        {
                            "default": "2.0",
                            "description": "Exponential backoff multiplier (e.g., \"2.0\", \"1.5\")",
                            "name": "RETRY_FACTOR",
                            "type": "string"
                        },
                        {
                            "default": "0.1",
                            "description": "Randomness factor for backoff calculation (0.0-1.0, e.g., \"0.1\", \"0.2\")",
                            "name": "RETRY_JITTER",
                            "type": "string"
                        },
                        {
                            "default": "3",
                            "description": "Maximum number of retry attempts",
                            "name": "RETRY_MAX_RETRY",
                            "type": "string"
                        },
                        {
                            "default": "3s",
                            "description": "Maximum wait time between retries (e.g., \"3s\", \"10s\")",
                            "name": "RETRY_MAX_WAIT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Short summary of the policy evaluation for each image",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "HOME",
                                "value": "/tekton/home"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "sigstore",
                                "initialize",
                                "--mirror",
                                "",
                                "--root",
                                "/root.json"
                            ],
                            "command": [
                                "ec"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "initialize-tuf",
                            "when": [
                                {
                                    "operator": "notin",
                                    "values": [
                                        ""
                                    ]
                                }
                            ]
                        },
                        {
                            "command": [
                                "reduce-snapshot.sh"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNAPSHOT",
                                    "value": "{\"application\":\"\",\"componentGroup\":\"\",\"components\":[{\"name\":\"\",\"version\":\"\",\"containerImage\":\"quay.io/konflux-ci/ec-golden-image:latest\",\"source\":{}}],\"artifacts\":{}}"
                                },
                                {
                                    "name": "SINGLE_COMPONENT",
                                    "value": "false"
                                },
                                {
                                    "name": "CUSTOM_RESOURCE",
                                    "value": "unknown"
                                },
                                {
                                    "name": "CUSTOM_RESOURCE_NAMESPACE"
                                },
                                {
                                    "name": "SNAPSHOT_PATH",
                                    "value": "/tekton/home/snapshot.json"
                                }
                            ],
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "reduce",
                            "onError": "continue"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "2Gi"
                                },
                                "requests": {
                                    "cpu": "1800m",
                                    "memory": "2Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_CONFIGURATION",
                                    "value": "ec-policy"
                                },
                                {
                                    "name": "PUBLIC_KEY",
                                    "value": "k8s://chains-e2e-ktby/cosign-public-key"
                                },
                                {
                                    "name": "CERTIFICATE_IDENTITY"
                                },
                                {
                                    "name": "CERTIFICATE_OIDC_ISSUER"
                                },
                                {
                                    "name": "CERTIFICATE_IDENTITY_REGEXP"
                                },
                                {
                                    "name": "CERTIFICATE_OIDC_ISSUER_REGEXP"
                                },
                                {
                                    "name": "REKOR_HOST"
                                },
                                {
                                    "name": "IGNORE_REKOR",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKERS",
                                    "value": "1"
                                },
                                {
                                    "name": "INFO",
                                    "value": "true"
                                },
                                {
                                    "name": "EFFECTIVE_TIME",
                                    "value": "now"
                                },
                                {
                                    "name": "EXTRA_RULE_DATA"
                                },
                                {
                                    "name": "RETRY_MAX_WAIT",
                                    "value": "3s"
                                },
                                {
                                    "name": "RETRY_MAX_RETRY",
                                    "value": "3"
                                },
                                {
                                    "name": "RETRY_DURATION",
                                    "value": "1s"
                                },
                                {
                                    "name": "RETRY_FACTOR",
                                    "value": "2.0"
                                },
                                {
                                    "name": "RETRY_JITTER",
                                    "value": "0.1"
                                },
                                {
                                    "name": "HOMEDIR",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "SSL_CERT_DIR",
                                    "value": "/tekton-custom-certs:/etc/ssl/certs:/etc/pki/tls/certs:/system/etc/security/cacerts:/var/run/secrets/kubernetes.io/serviceaccount"
                                }
                            ],
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "validate",
                            "onError": "continue",
                            "script": "#!/bin/bash\nset -euo pipefail\n\ncmd_args=(\n  validate\n  image\n  --images=\"${HOMEDIR}/snapshot.json\"\n  --policy=\"${POLICY_CONFIGURATION}\"\n)\n\n# To keep bash logic as thin as possible we deliberately don't sanitize\n# these params. If something is wrong or missing let Conforma handle it.\n\nif [ -n \"${CERTIFICATE_IDENTITY}\" ] || \\\n   [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ] || \\\n   [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ] || \\\n   [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n  # If *any* of the above are non-empty assume the intention is to\n  # try keyless verification\n\n  if [ -n \"${CERTIFICATE_IDENTITY}\" ]; then\n    cmd_args+=(\n      --certificate-identity=\"${CERTIFICATE_IDENTITY}\"\n    )\n  elif [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ]; then\n    cmd_args+=(\n      --certificate-identity-regexp=\"${CERTIFICATE_IDENTITY_REGEXP}\"\n    )\n  fi\n\n  if [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ]; then\n    cmd_args+=(\n      --certificate-oidc-issuer=\"${CERTIFICATE_OIDC_ISSUER}\"\n    )\n  elif [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n    cmd_args+=(\n      --certificate-oidc-issuer-regexp=\"${CERTIFICATE_OIDC_ISSUER_REGEXP}\"\n    )\n  fi\n\n  # Force --ignore-rekor to false since we need rekor\n  cmd_args+=(\n    --ignore-rekor=false\n  )\nelse\n  # Assume traditional signing secret verification\n  cmd_args+=(\n    --public-key=\"${PUBLIC_KEY}\"\n    --ignore-rekor=\"${IGNORE_REKOR}\"\n  )\nfi\n\ncmd_args+=(\n  --rekor-url=\"${REKOR_HOST}\"\n  --workers=\"${WORKERS}\"\n  --info=\"${INFO}\"\n  --timeout=0\n  --strict=false\n  --show-successes=true\n  --show-policy-docs-link=true\n  --effective-time=\"${EFFECTIVE_TIME}\"\n  --extra-rule-data=\"${EXTRA_RULE_DATA}\"\n  --retry-max-wait=\"${RETRY_MAX_WAIT}\"\n  --retry-max-retry=\"${RETRY_MAX_RETRY}\"\n  --retry-duration=\"${RETRY_DURATION}\"\n  --retry-factor=\"${RETRY_FACTOR}\"\n  --retry-jitter=\"${RETRY_JITTER}\"\n  --output=\"text=${HOMEDIR}/text-report.txt?show-successes=false\"\n  --output=\"json=${HOMEDIR}/report-json.json\"\n  --output=\"appstudio=/tekton/results/TEST_OUTPUT\"\n)\n\n\n# Execute Conforma with constructed arguments\nexec ec \"${cmd_args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "args": [
                                "jq . /tekton/home/report-json.json | awk '{gsub(/^ +/, \"\"); acc += length; if (acc \u003e= 8000) { printf \"\\n\"; acc=length } printf $0 }'"
                            ],
                            "command": [
                                "sh",
                                "-c"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "report-json",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                ".",
                                "/tekton/results/TEST_OUTPUT"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "summary",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                "version"
                            ],
                            "command": [
                                "ec"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "version"
                        },
                        {
                            "args": [
                                "{policy: .policy, key: .key, \"effective-time\": .[\"effective-time\"]}",
                                "/tekton/home/report-json.json"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "show-config"
                        },
                        {
                            "args": [
                                "/tekton/home/text-report.txt"
                            ],
                            "command": [
                                "cat"
                            ],
                            "computeResources": {},
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "detailed-report",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                "--argjson",
                                "strict",
                                "true",
                                "-e",
                                ".result == \"SUCCESS\" or .result == \"WARNING\" or ($strict | not)\n",
                                "/tekton/results/TEST_OUTPUT"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "assert"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The workspace where the snapshot spec json file resides",
                            "name": "data",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "chains.tekton.dev/signed": "true",
                    "kueue.konflux-ci.dev/requests-konflux-ci-dev-token": "1",
                    "pipeline.tekton.dev/release": "b150ab2dbe70ef4c9d499e6bf5dcf5738b5a591b",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "chains-e2e-ktby/results/0d9cff63-42fd-4834-978b-4e22f924c90e/records/dbd4e686-b87e-46ae-959d-e99ba825ce7a",
                    "results.tekton.dev/result": "chains-e2e-ktby/results/0d9cff63-42fd-4834-978b-4e22f924c90e",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/displayName": "Verify Enterprise Contract",
                    "tekton.dev/pipelines.minVersion": "0.19",
                    "tekton.dev/tags": "ec, chains, signature, conftest",
                    "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-2085131a272a54b208be9ff2e3472b78-c674b3423ac38670-01\"}"
                },
                "creationTimestamp": "2026-06-29T22:40:08Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "app.kubernetes.io/version": "0.1",
                    "appstudio.openshift.io/application": "",
                    "kueue.x-k8s.io/priority-class": "konflux-default",
                    "kueue.x-k8s.io/queue-name": "pipelines-queue",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "verify-enterprise-contract-run",
                    "tekton.dev/pipelineRun": "verify-enterprise-contract-run-fc9b6",
                    "tekton.dev/pipelineRunUID": "0d9cff63-42fd-4834-978b-4e22f924c90e",
                    "tekton.dev/pipelineTask": "verify-enterprise-contract",
                    "tekton.dev/task": "verify-enterprise-contract"
                },
                "name": "verify-enterprise-contract-run-fc9b6-verify-enterprise-contract",
                "namespace": "chains-e2e-ktby",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "verify-enterprise-contract-run-fc9b6",
                        "uid": "0d9cff63-42fd-4834-978b-4e22f924c90e"
                    }
                ],
                "resourceVersion": "56501",
                "uid": "dbd4e686-b87e-46ae-959d-e99ba825ce7a"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGES",
                        "value": "{\"application\":\"\",\"componentGroup\":\"\",\"components\":[{\"name\":\"\",\"version\":\"\",\"containerImage\":\"quay.io/konflux-ci/ec-golden-image:e2e-test-unacceptable-task\",\"source\":{}}],\"artifacts\":{}}"
                    },
                    {
                        "name": "POLICY_CONFIGURATION",
                        "value": "ec-policy"
                    },
                    {
                        "name": "PUBLIC_KEY",
                        "value": "k8s://chains-e2e-ktby/golden-image-public-keybxxymenrvm"
                    },
                    {
                        "name": "SSL_CERT_DIR",
                        "value": "/var/run/secrets/kubernetes.io/serviceaccount"
                    },
                    {
                        "name": "STRICT",
                        "value": "true"
                    },
                    {
                        "name": "EFFECTIVE_TIME",
                        "value": "now"
                    },
                    {
                        "name": "IGNORE_REKOR",
                        "value": "true"
                    }
                ],
                "podTemplate": {
                    "nodeSelector": {
                        "konflux-ci.dev/workload": "konflux-tenants"
                    },
                    "tolerations": [
                        {
                            "effect": "NoSchedule",
                            "key": "konflux-ci.dev/workload",
                            "operator": "Equal",
                            "value": "konflux-tenants"
                        }
                    ]
                },
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "verify-enterprise-contract"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/conforma/tekton-task:kf-b345847182602d9a5ce9e957fa76fe02575c8018@sha256:7df8d121c09999d0376e189c1eb8a8263078aab697aa5ee966512f581427a6ce"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "2h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-06-29T22:40:24Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-06-29T22:40:24Z",
                        "message": "\"step-assert\" exited with code 1: Error",
                        "reason": "StepFailed",
                        "status": "False",
                        "type": "Succeeded"
                    }
                ],
                "podName": "verify-enterprise-contract-6a168efb6b0692ab5eb45065c650176d-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "alpha",
                        "enableParamEnum": true,
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7df8d121c09999d0376e189c1eb8a8263078aab697aa5ee966512f581427a6ce"
                        },
                        "entryPoint": "verify-enterprise-contract",
                        "uri": "quay.io/conforma/tekton-task"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782772823\",\"namespace\":\"\",\"successes\":3,\"failures\":11,\"warnings\":0,\"result\":\"FAILURE\"}\n"
                    }
                ],
                "spanContext": {
                    "traceparent": "00-2085131a272a54b208be9ff2e3472b78-c674b3423ac38670-01"
                },
                "startTime": "2026-06-29T22:40:09Z",
                "steps": [
                    {
                        "container": "step-initialize-tuf",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "initialize-tuf",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://20a09e342965c9362105a8662fe6e79fcedf159ad8625db16347ac3ed610a094",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:14Z",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:14Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-reduce",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "reduce",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://ad7f3517d519b0d36f85a5ed8e083e9a58674ebc526b4275d36d32749550fd1d",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:14Z",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:14Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-validate",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "validate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://4fb86cfd2c793fc1636f7774d9ab2d1df47af3df1844ef883e0010d18e481971",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:23Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772823\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":3,\\\"failures\\\":11,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:14Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-report-json",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "report-json",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://c96b3b9db3c4eb4abd8a0a3a7fade0506383b2fc4377d6438c48dd2a253f8da0",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:23Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772823\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":3,\\\"failures\\\":11,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:23Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-summary",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "summary",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://bf318d80e726070f4d23c4cf7bd10ef1e1229b82cfdd50259a7b2589bb5bd10c",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:24Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772823\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":3,\\\"failures\\\":11,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:24Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-version",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "version",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://f0cf4da36ca0d142a09597ef720a0e7eef0475442cd458ba865c925bd99bf012",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:24Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772823\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":3,\\\"failures\\\":11,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:24Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-show-config",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "show-config",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://17ffdbb35c5a9a912f19b49da978a150b8feb4c28722a9d38efc57086cc38f3c",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:24Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772823\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":3,\\\"failures\\\":11,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:24Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-detailed-report",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "detailed-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://752e9fbf0446386a484e284609d21e621cc884b5c990c7214a1c398e93abe9a4",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:24Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772823\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":3,\\\"failures\\\":11,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:24Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-assert",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "assert",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://16065a846df2f4e1a625328870b0eb973744f62a2b530c7c85c670236e5e5830",
                            "exitCode": 1,
                            "finishedAt": "2026-06-29T22:40:24Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772823\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":3,\\\"failures\\\":11,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Error",
                            "startedAt": "2026-06-29T22:40:24Z"
                        },
                        "terminationReason": "Error"
                    }
                ],
                "taskSpec": {
                    "description": "Verify the enterprise contract is met",
                    "params": [
                        {
                            "description": "Spec section of an ApplicationSnapshot resource. Not all fields of the\nresource are required. A minimal example:\n\n```json\n  {\n    \"components\": [\n      {\n        \"containerImage\": \"quay.io/example/repo:latest\"\n      }\n    ]\n  }\n```\n\nEach `containerImage` in the `components` array is validated.\n",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "default": "enterprise-contract-service/default",
                            "description": "Name of the policy configuration (EnterpriseContractPolicy\nresource) to use. `namespace/name` or `name` syntax supported. If\nnamespace is omitted the namespace where the task runs is used.\nYou can also specify a policy configuration using a git url, e.g.\n`github.com/conforma/config//slsa3`.\n",
                            "name": "POLICY_CONFIGURATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Public key used to verify traditional long-lived signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute. Required for traditional signing key verification. Will be ignored if any of CERTIFICATE_IDENTITY, CERTIFICATE_IDENTITY_REGEXP, CERTIFICATE_OIDC_ISSUER, or CERTIFICATE_OIDC_ISSUER_REGEXP are provided.",
                            "name": "PUBLIC_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Rekor host for transparency log lookups",
                            "name": "REKOR_HOST",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Expected identity in the signing certificate for keyless verification. This should be the email or URI that was used when signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.",
                            "name": "CERTIFICATE_IDENTITY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Expected OIDC issuer in the signing certificate for keyless verification. This should match the issuer that provided the identity token used for signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.",
                            "name": "CERTIFICATE_OIDC_ISSUER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Similar to CERTIFICATE_IDENTITY but the value is a regexp that will be matched. Note that CERTIFICATE_IDENTITY takes precedence over this if both are present.",
                            "name": "CERTIFICATE_IDENTITY_REGEXP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Similar to CERTIFICATE_OIDC_ISSUER but a regexp that will be matched. Note that CERTIFICATE_OIDC_ISSUER takes precedence over this if both are present.",
                            "name": "CERTIFICATE_OIDC_ISSUER_REGEXP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip Rekor transparency log checks during validation. Compatible with traditional signing secret signature checks only. If any of the CERTIFICATE_* keyless verification params are present, this value is disregarded and Rekor transparency log checks are included.",
                            "name": "IGNORE_REKOR",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "TUF mirror URL. Provide a value when NOT using public sigstore deployment.",
                            "name": "TUF_MIRROR",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Path to a directory containing SSL certs to be used when communicating\nwith external services. This is useful when using the integrated registry\nand a local instance of Rekor on a development cluster which may use\ncertificates issued by a not-commonly trusted root CA. In such cases,\n`/var/run/secrets/kubernetes.io/serviceaccount` is a good value. Multiple\npaths can be provided by using the `:` separator.\n",
                            "name": "SSL_CERT_DIR",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIGMAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Include rule titles and descriptions in the output. Set to `\"false\"` to disable it.",
                            "name": "INFO",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Fail the task if policy fails. Set to `\"false\"` to disable it.",
                            "name": "STRICT",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Value for the HOME environment variable.",
                            "name": "HOMEDIR",
                            "type": "string"
                        },
                        {
                            "default": "now",
                            "description": "Run policy checks with the provided time.",
                            "name": "EFFECTIVE_TIME",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Merge additional Rego variables into the policy data. Use syntax \"key=value,key2=value2...\"",
                            "name": "EXTRA_RULE_DATA",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Number of parallel workers to use for policy evaluation.",
                            "name": "WORKERS",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Reduce the Snapshot to only the component whose build caused the Snapshot to be created",
                            "name": "SINGLE_COMPONENT",
                            "type": "string"
                        },
                        {
                            "default": "unknown",
                            "description": "Name, including kind, of the Kubernetes resource to query for labels when single component mode is enabled, e.g. pr/somepipeline.\n",
                            "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Kubernetes namespace where the SINGLE_COMPONENT_NAME is found. Only used when single component mode is enabled.\n",
                            "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE_NS",
                            "type": "string"
                        },
                        {
                            "default": "1s",
                            "description": "Base duration for exponential backoff calculation (e.g., \"1s\", \"500ms\")",
                            "name": "RETRY_DURATION",
                            "type": "string"
                        },
                        {
                            "default": "2.0",
                            "description": "Exponential backoff multiplier (e.g., \"2.0\", \"1.5\")",
                            "name": "RETRY_FACTOR",
                            "type": "string"
                        },
                        {
                            "default": "0.1",
                            "description": "Randomness factor for backoff calculation (0.0-1.0, e.g., \"0.1\", \"0.2\")",
                            "name": "RETRY_JITTER",
                            "type": "string"
                        },
                        {
                            "default": "3",
                            "description": "Maximum number of retry attempts",
                            "name": "RETRY_MAX_RETRY",
                            "type": "string"
                        },
                        {
                            "default": "3s",
                            "description": "Maximum wait time between retries (e.g., \"3s\", \"10s\")",
                            "name": "RETRY_MAX_WAIT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Short summary of the policy evaluation for each image",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "HOME",
                                "value": "/tekton/home"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "sigstore",
                                "initialize",
                                "--mirror",
                                "",
                                "--root",
                                "/root.json"
                            ],
                            "command": [
                                "ec"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "initialize-tuf",
                            "when": [
                                {
                                    "operator": "notin",
                                    "values": [
                                        ""
                                    ]
                                }
                            ]
                        },
                        {
                            "command": [
                                "reduce-snapshot.sh"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNAPSHOT",
                                    "value": "{\"application\":\"\",\"componentGroup\":\"\",\"components\":[{\"name\":\"\",\"version\":\"\",\"containerImage\":\"quay.io/konflux-ci/ec-golden-image:e2e-test-unacceptable-task\",\"source\":{}}],\"artifacts\":{}}"
                                },
                                {
                                    "name": "SINGLE_COMPONENT",
                                    "value": "false"
                                },
                                {
                                    "name": "CUSTOM_RESOURCE",
                                    "value": "unknown"
                                },
                                {
                                    "name": "CUSTOM_RESOURCE_NAMESPACE"
                                },
                                {
                                    "name": "SNAPSHOT_PATH",
                                    "value": "/tekton/home/snapshot.json"
                                }
                            ],
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "reduce",
                            "onError": "continue"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "2Gi"
                                },
                                "requests": {
                                    "cpu": "1800m",
                                    "memory": "2Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_CONFIGURATION",
                                    "value": "ec-policy"
                                },
                                {
                                    "name": "PUBLIC_KEY",
                                    "value": "k8s://chains-e2e-ktby/golden-image-public-keybxxymenrvm"
                                },
                                {
                                    "name": "CERTIFICATE_IDENTITY"
                                },
                                {
                                    "name": "CERTIFICATE_OIDC_ISSUER"
                                },
                                {
                                    "name": "CERTIFICATE_IDENTITY_REGEXP"
                                },
                                {
                                    "name": "CERTIFICATE_OIDC_ISSUER_REGEXP"
                                },
                                {
                                    "name": "REKOR_HOST"
                                },
                                {
                                    "name": "IGNORE_REKOR",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKERS",
                                    "value": "1"
                                },
                                {
                                    "name": "INFO",
                                    "value": "true"
                                },
                                {
                                    "name": "EFFECTIVE_TIME",
                                    "value": "now"
                                },
                                {
                                    "name": "EXTRA_RULE_DATA"
                                },
                                {
                                    "name": "RETRY_MAX_WAIT",
                                    "value": "3s"
                                },
                                {
                                    "name": "RETRY_MAX_RETRY",
                                    "value": "3"
                                },
                                {
                                    "name": "RETRY_DURATION",
                                    "value": "1s"
                                },
                                {
                                    "name": "RETRY_FACTOR",
                                    "value": "2.0"
                                },
                                {
                                    "name": "RETRY_JITTER",
                                    "value": "0.1"
                                },
                                {
                                    "name": "HOMEDIR",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "SSL_CERT_DIR",
                                    "value": "/tekton-custom-certs:/etc/ssl/certs:/etc/pki/tls/certs:/system/etc/security/cacerts:/var/run/secrets/kubernetes.io/serviceaccount"
                                }
                            ],
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "validate",
                            "onError": "continue",
                            "script": "#!/bin/bash\nset -euo pipefail\n\ncmd_args=(\n  validate\n  image\n  --images=\"${HOMEDIR}/snapshot.json\"\n  --policy=\"${POLICY_CONFIGURATION}\"\n)\n\n# To keep bash logic as thin as possible we deliberately don't sanitize\n# these params. If something is wrong or missing let Conforma handle it.\n\nif [ -n \"${CERTIFICATE_IDENTITY}\" ] || \\\n   [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ] || \\\n   [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ] || \\\n   [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n  # If *any* of the above are non-empty assume the intention is to\n  # try keyless verification\n\n  if [ -n \"${CERTIFICATE_IDENTITY}\" ]; then\n    cmd_args+=(\n      --certificate-identity=\"${CERTIFICATE_IDENTITY}\"\n    )\n  elif [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ]; then\n    cmd_args+=(\n      --certificate-identity-regexp=\"${CERTIFICATE_IDENTITY_REGEXP}\"\n    )\n  fi\n\n  if [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ]; then\n    cmd_args+=(\n      --certificate-oidc-issuer=\"${CERTIFICATE_OIDC_ISSUER}\"\n    )\n  elif [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n    cmd_args+=(\n      --certificate-oidc-issuer-regexp=\"${CERTIFICATE_OIDC_ISSUER_REGEXP}\"\n    )\n  fi\n\n  # Force --ignore-rekor to false since we need rekor\n  cmd_args+=(\n    --ignore-rekor=false\n  )\nelse\n  # Assume traditional signing secret verification\n  cmd_args+=(\n    --public-key=\"${PUBLIC_KEY}\"\n    --ignore-rekor=\"${IGNORE_REKOR}\"\n  )\nfi\n\ncmd_args+=(\n  --rekor-url=\"${REKOR_HOST}\"\n  --workers=\"${WORKERS}\"\n  --info=\"${INFO}\"\n  --timeout=0\n  --strict=false\n  --show-successes=true\n  --show-policy-docs-link=true\n  --effective-time=\"${EFFECTIVE_TIME}\"\n  --extra-rule-data=\"${EXTRA_RULE_DATA}\"\n  --retry-max-wait=\"${RETRY_MAX_WAIT}\"\n  --retry-max-retry=\"${RETRY_MAX_RETRY}\"\n  --retry-duration=\"${RETRY_DURATION}\"\n  --retry-factor=\"${RETRY_FACTOR}\"\n  --retry-jitter=\"${RETRY_JITTER}\"\n  --output=\"text=${HOMEDIR}/text-report.txt?show-successes=false\"\n  --output=\"json=${HOMEDIR}/report-json.json\"\n  --output=\"appstudio=/tekton/results/TEST_OUTPUT\"\n)\n\n\n# Execute Conforma with constructed arguments\nexec ec \"${cmd_args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "args": [
                                "jq . /tekton/home/report-json.json | awk '{gsub(/^ +/, \"\"); acc += length; if (acc \u003e= 8000) { printf \"\\n\"; acc=length } printf $0 }'"
                            ],
                            "command": [
                                "sh",
                                "-c"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "report-json",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                ".",
                                "/tekton/results/TEST_OUTPUT"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "summary",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                "version"
                            ],
                            "command": [
                                "ec"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "version"
                        },
                        {
                            "args": [
                                "{policy: .policy, key: .key, \"effective-time\": .[\"effective-time\"]}",
                                "/tekton/home/report-json.json"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "show-config"
                        },
                        {
                            "args": [
                                "/tekton/home/text-report.txt"
                            ],
                            "command": [
                                "cat"
                            ],
                            "computeResources": {},
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "detailed-report",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                "--argjson",
                                "strict",
                                "true",
                                "-e",
                                ".result == \"SUCCESS\" or .result == \"WARNING\" or ($strict | not)\n",
                                "/tekton/results/TEST_OUTPUT"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "assert"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The workspace where the snapshot spec json file resides",
                            "name": "data",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "chains.tekton.dev/signed": "true",
                    "kueue.konflux-ci.dev/requests-konflux-ci-dev-token": "1",
                    "pipeline.tekton.dev/release": "b150ab2dbe70ef4c9d499e6bf5dcf5738b5a591b",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "chains-e2e-ktby/results/cf7d0cd3-0772-4817-b2c4-c941244eadec/records/eaedf315-bed6-45d7-9ef4-a5154084d8f9",
                    "results.tekton.dev/result": "chains-e2e-ktby/results/cf7d0cd3-0772-4817-b2c4-c941244eadec",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/displayName": "Verify Enterprise Contract",
                    "tekton.dev/pipelines.minVersion": "0.19",
                    "tekton.dev/tags": "ec, chains, signature, conftest",
                    "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-96394de35aefdf3fde425200f9ef8f2b-5eea3b8ed5cc5386-01\"}"
                },
                "creationTimestamp": "2026-06-29T22:38:35Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "app.kubernetes.io/version": "0.1",
                    "appstudio.openshift.io/application": "",
                    "kueue.x-k8s.io/priority-class": "konflux-default",
                    "kueue.x-k8s.io/queue-name": "pipelines-queue",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "verify-enterprise-contract-run",
                    "tekton.dev/pipelineRun": "verify-enterprise-contract-run-ln2kb",
                    "tekton.dev/pipelineRunUID": "cf7d0cd3-0772-4817-b2c4-c941244eadec",
                    "tekton.dev/pipelineTask": "verify-enterprise-contract",
                    "tekton.dev/task": "verify-enterprise-contract"
                },
                "name": "verify-enterprise-contract-run-ln2kb-verify-enterprise-contract",
                "namespace": "chains-e2e-ktby",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "verify-enterprise-contract-run-ln2kb",
                        "uid": "cf7d0cd3-0772-4817-b2c4-c941244eadec"
                    }
                ],
                "resourceVersion": "54718",
                "uid": "eaedf315-bed6-45d7-9ef4-a5154084d8f9"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGES",
                        "value": "{\"application\":\"\",\"componentGroup\":\"\",\"components\":[{\"name\":\"\",\"version\":\"\",\"containerImage\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"source\":{}}],\"artifacts\":{}}"
                    },
                    {
                        "name": "POLICY_CONFIGURATION",
                        "value": "ec-policy"
                    },
                    {
                        "name": "PUBLIC_KEY",
                        "value": "k8s://chains-e2e-ktby/cosign-public-key"
                    },
                    {
                        "name": "SSL_CERT_DIR",
                        "value": "/var/run/secrets/kubernetes.io/serviceaccount"
                    },
                    {
                        "name": "STRICT",
                        "value": "true"
                    },
                    {
                        "name": "EFFECTIVE_TIME",
                        "value": "now"
                    },
                    {
                        "name": "IGNORE_REKOR",
                        "value": "true"
                    }
                ],
                "podTemplate": {
                    "nodeSelector": {
                        "konflux-ci.dev/workload": "konflux-tenants"
                    },
                    "tolerations": [
                        {
                            "effect": "NoSchedule",
                            "key": "konflux-ci.dev/workload",
                            "operator": "Equal",
                            "value": "konflux-tenants"
                        }
                    ]
                },
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "verify-enterprise-contract"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/conforma/tekton-task:kf-b345847182602d9a5ce9e957fa76fe02575c8018@sha256:7df8d121c09999d0376e189c1eb8a8263078aab697aa5ee966512f581427a6ce"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "2h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-06-29T22:38:49Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-06-29T22:38:49Z",
                        "message": "\"step-assert\" exited with code 1: Error",
                        "reason": "StepFailed",
                        "status": "False",
                        "type": "Succeeded"
                    }
                ],
                "podName": "verify-enterprise-contract-86e0bdcbcc40b77f2518350629b09aa6-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "alpha",
                        "enableParamEnum": true,
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7df8d121c09999d0376e189c1eb8a8263078aab697aa5ee966512f581427a6ce"
                        },
                        "entryPoint": "verify-enterprise-contract",
                        "uri": "quay.io/conforma/tekton-task"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782772727\",\"namespace\":\"\",\"successes\":5,\"failures\":1,\"warnings\":0,\"result\":\"FAILURE\"}\n"
                    }
                ],
                "spanContext": {
                    "traceparent": "00-96394de35aefdf3fde425200f9ef8f2b-5eea3b8ed5cc5386-01"
                },
                "startTime": "2026-06-29T22:38:35Z",
                "steps": [
                    {
                        "container": "step-initialize-tuf",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "initialize-tuf",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://c2a42ceb94c4eb137f338c600d0dfe08781b6c77781fc0ed1e38dcc546c1adf5",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:42Z",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:42Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-reduce",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "reduce",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://cde3b3cce78054ce33f9547aac234d36c4077edb544f9f7011a92db55751e33b",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:42Z",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:42Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-validate",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "validate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://0a0d5b919cd81b735443a964382e43f75c620760c0c6a0f2900f1d0d8c2662bd",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:47Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772727\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":5,\\\"failures\\\":1,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:42Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-report-json",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "report-json",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://7eb9ce1f61b8f67371258af1f67e598516a11c6db1f3e80162ff51becf7d5a42",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:48Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772727\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":5,\\\"failures\\\":1,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:48Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-summary",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "summary",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://5c026d60ffa1133881ce6a61568fc5bf41b2de58d7e741d689ca23a6ecbf7c14",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:48Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772727\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":5,\\\"failures\\\":1,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:48Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-version",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "version",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://c108691e797e605ea122535bc19e8610940bacabbe0e1c26218face6848febf3",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:48Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772727\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":5,\\\"failures\\\":1,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:48Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-show-config",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "show-config",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://521150ea5f8cc48465fb114e4d71d83424784776fff87b6c508fa1ba9f7c562e",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:48Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772727\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":5,\\\"failures\\\":1,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:48Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-detailed-report",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "detailed-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://21fc3aae261c573c1cf8135f80285a583d8a830765819d07b8ca9168f6c7ae29",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:48Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772727\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":5,\\\"failures\\\":1,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:48Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-assert",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "assert",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://9a79ba41fc390ee578ef66d05510f8430a87f00389afd8b9e38725e690afbbf8",
                            "exitCode": 1,
                            "finishedAt": "2026-06-29T22:38:49Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772727\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":5,\\\"failures\\\":1,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Error",
                            "startedAt": "2026-06-29T22:38:49Z"
                        },
                        "terminationReason": "Error"
                    }
                ],
                "taskSpec": {
                    "description": "Verify the enterprise contract is met",
                    "params": [
                        {
                            "description": "Spec section of an ApplicationSnapshot resource. Not all fields of the\nresource are required. A minimal example:\n\n```json\n  {\n    \"components\": [\n      {\n        \"containerImage\": \"quay.io/example/repo:latest\"\n      }\n    ]\n  }\n```\n\nEach `containerImage` in the `components` array is validated.\n",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "default": "enterprise-contract-service/default",
                            "description": "Name of the policy configuration (EnterpriseContractPolicy\nresource) to use. `namespace/name` or `name` syntax supported. If\nnamespace is omitted the namespace where the task runs is used.\nYou can also specify a policy configuration using a git url, e.g.\n`github.com/conforma/config//slsa3`.\n",
                            "name": "POLICY_CONFIGURATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Public key used to verify traditional long-lived signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute. Required for traditional signing key verification. Will be ignored if any of CERTIFICATE_IDENTITY, CERTIFICATE_IDENTITY_REGEXP, CERTIFICATE_OIDC_ISSUER, or CERTIFICATE_OIDC_ISSUER_REGEXP are provided.",
                            "name": "PUBLIC_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Rekor host for transparency log lookups",
                            "name": "REKOR_HOST",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Expected identity in the signing certificate for keyless verification. This should be the email or URI that was used when signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.",
                            "name": "CERTIFICATE_IDENTITY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Expected OIDC issuer in the signing certificate for keyless verification. This should match the issuer that provided the identity token used for signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.",
                            "name": "CERTIFICATE_OIDC_ISSUER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Similar to CERTIFICATE_IDENTITY but the value is a regexp that will be matched. Note that CERTIFICATE_IDENTITY takes precedence over this if both are present.",
                            "name": "CERTIFICATE_IDENTITY_REGEXP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Similar to CERTIFICATE_OIDC_ISSUER but a regexp that will be matched. Note that CERTIFICATE_OIDC_ISSUER takes precedence over this if both are present.",
                            "name": "CERTIFICATE_OIDC_ISSUER_REGEXP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip Rekor transparency log checks during validation. Compatible with traditional signing secret signature checks only. If any of the CERTIFICATE_* keyless verification params are present, this value is disregarded and Rekor transparency log checks are included.",
                            "name": "IGNORE_REKOR",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "TUF mirror URL. Provide a value when NOT using public sigstore deployment.",
                            "name": "TUF_MIRROR",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Path to a directory containing SSL certs to be used when communicating\nwith external services. This is useful when using the integrated registry\nand a local instance of Rekor on a development cluster which may use\ncertificates issued by a not-commonly trusted root CA. In such cases,\n`/var/run/secrets/kubernetes.io/serviceaccount` is a good value. Multiple\npaths can be provided by using the `:` separator.\n",
                            "name": "SSL_CERT_DIR",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIGMAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Include rule titles and descriptions in the output. Set to `\"false\"` to disable it.",
                            "name": "INFO",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Fail the task if policy fails. Set to `\"false\"` to disable it.",
                            "name": "STRICT",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Value for the HOME environment variable.",
                            "name": "HOMEDIR",
                            "type": "string"
                        },
                        {
                            "default": "now",
                            "description": "Run policy checks with the provided time.",
                            "name": "EFFECTIVE_TIME",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Merge additional Rego variables into the policy data. Use syntax \"key=value,key2=value2...\"",
                            "name": "EXTRA_RULE_DATA",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Number of parallel workers to use for policy evaluation.",
                            "name": "WORKERS",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Reduce the Snapshot to only the component whose build caused the Snapshot to be created",
                            "name": "SINGLE_COMPONENT",
                            "type": "string"
                        },
                        {
                            "default": "unknown",
                            "description": "Name, including kind, of the Kubernetes resource to query for labels when single component mode is enabled, e.g. pr/somepipeline.\n",
                            "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Kubernetes namespace where the SINGLE_COMPONENT_NAME is found. Only used when single component mode is enabled.\n",
                            "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE_NS",
                            "type": "string"
                        },
                        {
                            "default": "1s",
                            "description": "Base duration for exponential backoff calculation (e.g., \"1s\", \"500ms\")",
                            "name": "RETRY_DURATION",
                            "type": "string"
                        },
                        {
                            "default": "2.0",
                            "description": "Exponential backoff multiplier (e.g., \"2.0\", \"1.5\")",
                            "name": "RETRY_FACTOR",
                            "type": "string"
                        },
                        {
                            "default": "0.1",
                            "description": "Randomness factor for backoff calculation (0.0-1.0, e.g., \"0.1\", \"0.2\")",
                            "name": "RETRY_JITTER",
                            "type": "string"
                        },
                        {
                            "default": "3",
                            "description": "Maximum number of retry attempts",
                            "name": "RETRY_MAX_RETRY",
                            "type": "string"
                        },
                        {
                            "default": "3s",
                            "description": "Maximum wait time between retries (e.g., \"3s\", \"10s\")",
                            "name": "RETRY_MAX_WAIT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Short summary of the policy evaluation for each image",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "HOME",
                                "value": "/tekton/home"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "sigstore",
                                "initialize",
                                "--mirror",
                                "",
                                "--root",
                                "/root.json"
                            ],
                            "command": [
                                "ec"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "initialize-tuf",
                            "when": [
                                {
                                    "operator": "notin",
                                    "values": [
                                        ""
                                    ]
                                }
                            ]
                        },
                        {
                            "command": [
                                "reduce-snapshot.sh"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNAPSHOT",
                                    "value": "{\"application\":\"\",\"componentGroup\":\"\",\"components\":[{\"name\":\"\",\"version\":\"\",\"containerImage\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"source\":{}}],\"artifacts\":{}}"
                                },
                                {
                                    "name": "SINGLE_COMPONENT",
                                    "value": "false"
                                },
                                {
                                    "name": "CUSTOM_RESOURCE",
                                    "value": "unknown"
                                },
                                {
                                    "name": "CUSTOM_RESOURCE_NAMESPACE"
                                },
                                {
                                    "name": "SNAPSHOT_PATH",
                                    "value": "/tekton/home/snapshot.json"
                                }
                            ],
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "reduce",
                            "onError": "continue"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "2Gi"
                                },
                                "requests": {
                                    "cpu": "1800m",
                                    "memory": "2Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_CONFIGURATION",
                                    "value": "ec-policy"
                                },
                                {
                                    "name": "PUBLIC_KEY",
                                    "value": "k8s://chains-e2e-ktby/cosign-public-key"
                                },
                                {
                                    "name": "CERTIFICATE_IDENTITY"
                                },
                                {
                                    "name": "CERTIFICATE_OIDC_ISSUER"
                                },
                                {
                                    "name": "CERTIFICATE_IDENTITY_REGEXP"
                                },
                                {
                                    "name": "CERTIFICATE_OIDC_ISSUER_REGEXP"
                                },
                                {
                                    "name": "REKOR_HOST"
                                },
                                {
                                    "name": "IGNORE_REKOR",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKERS",
                                    "value": "1"
                                },
                                {
                                    "name": "INFO",
                                    "value": "true"
                                },
                                {
                                    "name": "EFFECTIVE_TIME",
                                    "value": "now"
                                },
                                {
                                    "name": "EXTRA_RULE_DATA"
                                },
                                {
                                    "name": "RETRY_MAX_WAIT",
                                    "value": "3s"
                                },
                                {
                                    "name": "RETRY_MAX_RETRY",
                                    "value": "3"
                                },
                                {
                                    "name": "RETRY_DURATION",
                                    "value": "1s"
                                },
                                {
                                    "name": "RETRY_FACTOR",
                                    "value": "2.0"
                                },
                                {
                                    "name": "RETRY_JITTER",
                                    "value": "0.1"
                                },
                                {
                                    "name": "HOMEDIR",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "SSL_CERT_DIR",
                                    "value": "/tekton-custom-certs:/etc/ssl/certs:/etc/pki/tls/certs:/system/etc/security/cacerts:/var/run/secrets/kubernetes.io/serviceaccount"
                                }
                            ],
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "validate",
                            "onError": "continue",
                            "script": "#!/bin/bash\nset -euo pipefail\n\ncmd_args=(\n  validate\n  image\n  --images=\"${HOMEDIR}/snapshot.json\"\n  --policy=\"${POLICY_CONFIGURATION}\"\n)\n\n# To keep bash logic as thin as possible we deliberately don't sanitize\n# these params. If something is wrong or missing let Conforma handle it.\n\nif [ -n \"${CERTIFICATE_IDENTITY}\" ] || \\\n   [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ] || \\\n   [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ] || \\\n   [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n  # If *any* of the above are non-empty assume the intention is to\n  # try keyless verification\n\n  if [ -n \"${CERTIFICATE_IDENTITY}\" ]; then\n    cmd_args+=(\n      --certificate-identity=\"${CERTIFICATE_IDENTITY}\"\n    )\n  elif [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ]; then\n    cmd_args+=(\n      --certificate-identity-regexp=\"${CERTIFICATE_IDENTITY_REGEXP}\"\n    )\n  fi\n\n  if [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ]; then\n    cmd_args+=(\n      --certificate-oidc-issuer=\"${CERTIFICATE_OIDC_ISSUER}\"\n    )\n  elif [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n    cmd_args+=(\n      --certificate-oidc-issuer-regexp=\"${CERTIFICATE_OIDC_ISSUER_REGEXP}\"\n    )\n  fi\n\n  # Force --ignore-rekor to false since we need rekor\n  cmd_args+=(\n    --ignore-rekor=false\n  )\nelse\n  # Assume traditional signing secret verification\n  cmd_args+=(\n    --public-key=\"${PUBLIC_KEY}\"\n    --ignore-rekor=\"${IGNORE_REKOR}\"\n  )\nfi\n\ncmd_args+=(\n  --rekor-url=\"${REKOR_HOST}\"\n  --workers=\"${WORKERS}\"\n  --info=\"${INFO}\"\n  --timeout=0\n  --strict=false\n  --show-successes=true\n  --show-policy-docs-link=true\n  --effective-time=\"${EFFECTIVE_TIME}\"\n  --extra-rule-data=\"${EXTRA_RULE_DATA}\"\n  --retry-max-wait=\"${RETRY_MAX_WAIT}\"\n  --retry-max-retry=\"${RETRY_MAX_RETRY}\"\n  --retry-duration=\"${RETRY_DURATION}\"\n  --retry-factor=\"${RETRY_FACTOR}\"\n  --retry-jitter=\"${RETRY_JITTER}\"\n  --output=\"text=${HOMEDIR}/text-report.txt?show-successes=false\"\n  --output=\"json=${HOMEDIR}/report-json.json\"\n  --output=\"appstudio=/tekton/results/TEST_OUTPUT\"\n)\n\n\n# Execute Conforma with constructed arguments\nexec ec \"${cmd_args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "args": [
                                "jq . /tekton/home/report-json.json | awk '{gsub(/^ +/, \"\"); acc += length; if (acc \u003e= 8000) { printf \"\\n\"; acc=length } printf $0 }'"
                            ],
                            "command": [
                                "sh",
                                "-c"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "report-json",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                ".",
                                "/tekton/results/TEST_OUTPUT"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "summary",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                "version"
                            ],
                            "command": [
                                "ec"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "version"
                        },
                        {
                            "args": [
                                "{policy: .policy, key: .key, \"effective-time\": .[\"effective-time\"]}",
                                "/tekton/home/report-json.json"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "show-config"
                        },
                        {
                            "args": [
                                "/tekton/home/text-report.txt"
                            ],
                            "command": [
                                "cat"
                            ],
                            "computeResources": {},
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "detailed-report",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                "--argjson",
                                "strict",
                                "true",
                                "-e",
                                ".result == \"SUCCESS\" or .result == \"WARNING\" or ($strict | not)\n",
                                "/tekton/results/TEST_OUTPUT"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "assert"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The workspace where the snapshot spec json file resides",
                            "name": "data",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "chains.tekton.dev/signed": "true",
                    "kueue.konflux-ci.dev/requests-konflux-ci-dev-token": "1",
                    "pipeline.tekton.dev/release": "b150ab2dbe70ef4c9d499e6bf5dcf5738b5a591b",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "chains-e2e-ktby/results/25b457d0-740f-41fe-94af-629d9a86295e/records/66ab7725-3b64-472f-b328-aab753172339",
                    "results.tekton.dev/result": "chains-e2e-ktby/results/25b457d0-740f-41fe-94af-629d9a86295e",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/displayName": "Verify Enterprise Contract",
                    "tekton.dev/pipelines.minVersion": "0.19",
                    "tekton.dev/tags": "ec, chains, signature, conftest",
                    "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-1e911d16ec79cc24f685c1b6a0a5a9cd-52df6efacf95f830-01\"}"
                },
                "creationTimestamp": "2026-06-29T22:37:54Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "app.kubernetes.io/version": "0.1",
                    "appstudio.openshift.io/application": "",
                    "kueue.x-k8s.io/priority-class": "konflux-default",
                    "kueue.x-k8s.io/queue-name": "pipelines-queue",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "verify-enterprise-contract-run",
                    "tekton.dev/pipelineRun": "verify-enterprise-contract-run-ncmd2",
                    "tekton.dev/pipelineRunUID": "25b457d0-740f-41fe-94af-629d9a86295e",
                    "tekton.dev/pipelineTask": "verify-enterprise-contract",
                    "tekton.dev/task": "verify-enterprise-contract"
                },
                "name": "verify-enterprise-contract-run-ncmd2-verify-enterprise-contract",
                "namespace": "chains-e2e-ktby",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "verify-enterprise-contract-run-ncmd2",
                        "uid": "25b457d0-740f-41fe-94af-629d9a86295e"
                    }
                ],
                "resourceVersion": "54059",
                "uid": "66ab7725-3b64-472f-b328-aab753172339"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGES",
                        "value": "{\"application\":\"\",\"componentGroup\":\"\",\"components\":[{\"name\":\"\",\"version\":\"\",\"containerImage\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"source\":{}}],\"artifacts\":{}}"
                    },
                    {
                        "name": "POLICY_CONFIGURATION",
                        "value": "ec-policy"
                    },
                    {
                        "name": "PUBLIC_KEY",
                        "value": "k8s://chains-e2e-ktby/cosign-public-key"
                    },
                    {
                        "name": "SSL_CERT_DIR",
                        "value": "/var/run/secrets/kubernetes.io/serviceaccount"
                    },
                    {
                        "name": "STRICT",
                        "value": "true"
                    },
                    {
                        "name": "EFFECTIVE_TIME",
                        "value": "now"
                    },
                    {
                        "name": "IGNORE_REKOR",
                        "value": "true"
                    }
                ],
                "podTemplate": {
                    "nodeSelector": {
                        "konflux-ci.dev/workload": "konflux-tenants"
                    },
                    "tolerations": [
                        {
                            "effect": "NoSchedule",
                            "key": "konflux-ci.dev/workload",
                            "operator": "Equal",
                            "value": "konflux-tenants"
                        }
                    ]
                },
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "verify-enterprise-contract"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/conforma/tekton-task:kf-b345847182602d9a5ce9e957fa76fe02575c8018@sha256:7df8d121c09999d0376e189c1eb8a8263078aab697aa5ee966512f581427a6ce"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "2h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-06-29T22:38:15Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-06-29T22:38:15Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "verify-enterprise-contract-9a5aa80997b34d2291e00836106a4e2a-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "alpha",
                        "enableParamEnum": true,
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7df8d121c09999d0376e189c1eb8a8263078aab697aa5ee966512f581427a6ce"
                        },
                        "entryPoint": "verify-enterprise-contract",
                        "uri": "quay.io/conforma/tekton-task"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782772694\",\"namespace\":\"\",\"successes\":5,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\"}\n"
                    }
                ],
                "spanContext": {
                    "traceparent": "00-1e911d16ec79cc24f685c1b6a0a5a9cd-52df6efacf95f830-01"
                },
                "startTime": "2026-06-29T22:37:55Z",
                "steps": [
                    {
                        "container": "step-initialize-tuf",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "initialize-tuf",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://d1216956e57e2ce55c78815051cf64a74791ce04429a4e86ee96dd3472324e01",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:08Z",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:08Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-reduce",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "reduce",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://47e2f9caf4e941607b814f00a2076a988fbd18ab62b22b73e183fed0485ede80",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:08Z",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:08Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-validate",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "validate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://48ee1675fc273dc7631ff576b3c867c7410e5fbe28bf97c9cdc200c16689de03",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:14Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772694\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":5,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:08Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-report-json",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "report-json",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://27e15461aded4f037a4ceba8da0e94a5e7999c22b6bcedef5b8579babed35276",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:14Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772694\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":5,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:14Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-summary",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "summary",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://f88ea6a09cae630c6e36bb77be8c1be60c6e04b8fff4456297baae93b5e00f16",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:14Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772694\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":5,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:14Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-version",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "version",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://e60ef0e14b5dd2351e4c3ac6ab538832ecea9423417b26641ae56e061a2063f1",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:14Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772694\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":5,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:14Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-show-config",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "show-config",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://99165c2e49f713477b74da2da720f0a2d5f89e814a464aa121bf184b6466219f",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:14Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772694\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":5,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:14Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-detailed-report",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "detailed-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://ea3a607f867cf0c5aa070501a0a5fdbd69ff49922587a40831d83cc8db67f33a",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:14Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772694\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":5,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:14Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-assert",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "assert",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://684cdc33c3e2f7cba44716b15050e66a24bee8401999efc51513e3f864867bac",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:14Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772694\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":5,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:14Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Verify the enterprise contract is met",
                    "params": [
                        {
                            "description": "Spec section of an ApplicationSnapshot resource. Not all fields of the\nresource are required. A minimal example:\n\n```json\n  {\n    \"components\": [\n      {\n        \"containerImage\": \"quay.io/example/repo:latest\"\n      }\n    ]\n  }\n```\n\nEach `containerImage` in the `components` array is validated.\n",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "default": "enterprise-contract-service/default",
                            "description": "Name of the policy configuration (EnterpriseContractPolicy\nresource) to use. `namespace/name` or `name` syntax supported. If\nnamespace is omitted the namespace where the task runs is used.\nYou can also specify a policy configuration using a git url, e.g.\n`github.com/conforma/config//slsa3`.\n",
                            "name": "POLICY_CONFIGURATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Public key used to verify traditional long-lived signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute. Required for traditional signing key verification. Will be ignored if any of CERTIFICATE_IDENTITY, CERTIFICATE_IDENTITY_REGEXP, CERTIFICATE_OIDC_ISSUER, or CERTIFICATE_OIDC_ISSUER_REGEXP are provided.",
                            "name": "PUBLIC_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Rekor host for transparency log lookups",
                            "name": "REKOR_HOST",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Expected identity in the signing certificate for keyless verification. This should be the email or URI that was used when signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.",
                            "name": "CERTIFICATE_IDENTITY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Expected OIDC issuer in the signing certificate for keyless verification. This should match the issuer that provided the identity token used for signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.",
                            "name": "CERTIFICATE_OIDC_ISSUER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Similar to CERTIFICATE_IDENTITY but the value is a regexp that will be matched. Note that CERTIFICATE_IDENTITY takes precedence over this if both are present.",
                            "name": "CERTIFICATE_IDENTITY_REGEXP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Similar to CERTIFICATE_OIDC_ISSUER but a regexp that will be matched. Note that CERTIFICATE_OIDC_ISSUER takes precedence over this if both are present.",
                            "name": "CERTIFICATE_OIDC_ISSUER_REGEXP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip Rekor transparency log checks during validation. Compatible with traditional signing secret signature checks only. If any of the CERTIFICATE_* keyless verification params are present, this value is disregarded and Rekor transparency log checks are included.",
                            "name": "IGNORE_REKOR",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "TUF mirror URL. Provide a value when NOT using public sigstore deployment.",
                            "name": "TUF_MIRROR",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Path to a directory containing SSL certs to be used when communicating\nwith external services. This is useful when using the integrated registry\nand a local instance of Rekor on a development cluster which may use\ncertificates issued by a not-commonly trusted root CA. In such cases,\n`/var/run/secrets/kubernetes.io/serviceaccount` is a good value. Multiple\npaths can be provided by using the `:` separator.\n",
                            "name": "SSL_CERT_DIR",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIGMAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Include rule titles and descriptions in the output. Set to `\"false\"` to disable it.",
                            "name": "INFO",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Fail the task if policy fails. Set to `\"false\"` to disable it.",
                            "name": "STRICT",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Value for the HOME environment variable.",
                            "name": "HOMEDIR",
                            "type": "string"
                        },
                        {
                            "default": "now",
                            "description": "Run policy checks with the provided time.",
                            "name": "EFFECTIVE_TIME",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Merge additional Rego variables into the policy data. Use syntax \"key=value,key2=value2...\"",
                            "name": "EXTRA_RULE_DATA",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Number of parallel workers to use for policy evaluation.",
                            "name": "WORKERS",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Reduce the Snapshot to only the component whose build caused the Snapshot to be created",
                            "name": "SINGLE_COMPONENT",
                            "type": "string"
                        },
                        {
                            "default": "unknown",
                            "description": "Name, including kind, of the Kubernetes resource to query for labels when single component mode is enabled, e.g. pr/somepipeline.\n",
                            "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Kubernetes namespace where the SINGLE_COMPONENT_NAME is found. Only used when single component mode is enabled.\n",
                            "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE_NS",
                            "type": "string"
                        },
                        {
                            "default": "1s",
                            "description": "Base duration for exponential backoff calculation (e.g., \"1s\", \"500ms\")",
                            "name": "RETRY_DURATION",
                            "type": "string"
                        },
                        {
                            "default": "2.0",
                            "description": "Exponential backoff multiplier (e.g., \"2.0\", \"1.5\")",
                            "name": "RETRY_FACTOR",
                            "type": "string"
                        },
                        {
                            "default": "0.1",
                            "description": "Randomness factor for backoff calculation (0.0-1.0, e.g., \"0.1\", \"0.2\")",
                            "name": "RETRY_JITTER",
                            "type": "string"
                        },
                        {
                            "default": "3",
                            "description": "Maximum number of retry attempts",
                            "name": "RETRY_MAX_RETRY",
                            "type": "string"
                        },
                        {
                            "default": "3s",
                            "description": "Maximum wait time between retries (e.g., \"3s\", \"10s\")",
                            "name": "RETRY_MAX_WAIT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Short summary of the policy evaluation for each image",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "HOME",
                                "value": "/tekton/home"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "sigstore",
                                "initialize",
                                "--mirror",
                                "",
                                "--root",
                                "/root.json"
                            ],
                            "command": [
                                "ec"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "initialize-tuf",
                            "when": [
                                {
                                    "operator": "notin",
                                    "values": [
                                        ""
                                    ]
                                }
                            ]
                        },
                        {
                            "command": [
                                "reduce-snapshot.sh"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNAPSHOT",
                                    "value": "{\"application\":\"\",\"componentGroup\":\"\",\"components\":[{\"name\":\"\",\"version\":\"\",\"containerImage\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"source\":{}}],\"artifacts\":{}}"
                                },
                                {
                                    "name": "SINGLE_COMPONENT",
                                    "value": "false"
                                },
                                {
                                    "name": "CUSTOM_RESOURCE",
                                    "value": "unknown"
                                },
                                {
                                    "name": "CUSTOM_RESOURCE_NAMESPACE"
                                },
                                {
                                    "name": "SNAPSHOT_PATH",
                                    "value": "/tekton/home/snapshot.json"
                                }
                            ],
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "reduce",
                            "onError": "continue"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "2Gi"
                                },
                                "requests": {
                                    "cpu": "1800m",
                                    "memory": "2Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_CONFIGURATION",
                                    "value": "ec-policy"
                                },
                                {
                                    "name": "PUBLIC_KEY",
                                    "value": "k8s://chains-e2e-ktby/cosign-public-key"
                                },
                                {
                                    "name": "CERTIFICATE_IDENTITY"
                                },
                                {
                                    "name": "CERTIFICATE_OIDC_ISSUER"
                                },
                                {
                                    "name": "CERTIFICATE_IDENTITY_REGEXP"
                                },
                                {
                                    "name": "CERTIFICATE_OIDC_ISSUER_REGEXP"
                                },
                                {
                                    "name": "REKOR_HOST"
                                },
                                {
                                    "name": "IGNORE_REKOR",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKERS",
                                    "value": "1"
                                },
                                {
                                    "name": "INFO",
                                    "value": "true"
                                },
                                {
                                    "name": "EFFECTIVE_TIME",
                                    "value": "now"
                                },
                                {
                                    "name": "EXTRA_RULE_DATA"
                                },
                                {
                                    "name": "RETRY_MAX_WAIT",
                                    "value": "3s"
                                },
                                {
                                    "name": "RETRY_MAX_RETRY",
                                    "value": "3"
                                },
                                {
                                    "name": "RETRY_DURATION",
                                    "value": "1s"
                                },
                                {
                                    "name": "RETRY_FACTOR",
                                    "value": "2.0"
                                },
                                {
                                    "name": "RETRY_JITTER",
                                    "value": "0.1"
                                },
                                {
                                    "name": "HOMEDIR",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "SSL_CERT_DIR",
                                    "value": "/tekton-custom-certs:/etc/ssl/certs:/etc/pki/tls/certs:/system/etc/security/cacerts:/var/run/secrets/kubernetes.io/serviceaccount"
                                }
                            ],
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "validate",
                            "onError": "continue",
                            "script": "#!/bin/bash\nset -euo pipefail\n\ncmd_args=(\n  validate\n  image\n  --images=\"${HOMEDIR}/snapshot.json\"\n  --policy=\"${POLICY_CONFIGURATION}\"\n)\n\n# To keep bash logic as thin as possible we deliberately don't sanitize\n# these params. If something is wrong or missing let Conforma handle it.\n\nif [ -n \"${CERTIFICATE_IDENTITY}\" ] || \\\n   [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ] || \\\n   [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ] || \\\n   [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n  # If *any* of the above are non-empty assume the intention is to\n  # try keyless verification\n\n  if [ -n \"${CERTIFICATE_IDENTITY}\" ]; then\n    cmd_args+=(\n      --certificate-identity=\"${CERTIFICATE_IDENTITY}\"\n    )\n  elif [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ]; then\n    cmd_args+=(\n      --certificate-identity-regexp=\"${CERTIFICATE_IDENTITY_REGEXP}\"\n    )\n  fi\n\n  if [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ]; then\n    cmd_args+=(\n      --certificate-oidc-issuer=\"${CERTIFICATE_OIDC_ISSUER}\"\n    )\n  elif [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n    cmd_args+=(\n      --certificate-oidc-issuer-regexp=\"${CERTIFICATE_OIDC_ISSUER_REGEXP}\"\n    )\n  fi\n\n  # Force --ignore-rekor to false since we need rekor\n  cmd_args+=(\n    --ignore-rekor=false\n  )\nelse\n  # Assume traditional signing secret verification\n  cmd_args+=(\n    --public-key=\"${PUBLIC_KEY}\"\n    --ignore-rekor=\"${IGNORE_REKOR}\"\n  )\nfi\n\ncmd_args+=(\n  --rekor-url=\"${REKOR_HOST}\"\n  --workers=\"${WORKERS}\"\n  --info=\"${INFO}\"\n  --timeout=0\n  --strict=false\n  --show-successes=true\n  --show-policy-docs-link=true\n  --effective-time=\"${EFFECTIVE_TIME}\"\n  --extra-rule-data=\"${EXTRA_RULE_DATA}\"\n  --retry-max-wait=\"${RETRY_MAX_WAIT}\"\n  --retry-max-retry=\"${RETRY_MAX_RETRY}\"\n  --retry-duration=\"${RETRY_DURATION}\"\n  --retry-factor=\"${RETRY_FACTOR}\"\n  --retry-jitter=\"${RETRY_JITTER}\"\n  --output=\"text=${HOMEDIR}/text-report.txt?show-successes=false\"\n  --output=\"json=${HOMEDIR}/report-json.json\"\n  --output=\"appstudio=/tekton/results/TEST_OUTPUT\"\n)\n\n\n# Execute Conforma with constructed arguments\nexec ec \"${cmd_args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "args": [
                                "jq . /tekton/home/report-json.json | awk '{gsub(/^ +/, \"\"); acc += length; if (acc \u003e= 8000) { printf \"\\n\"; acc=length } printf $0 }'"
                            ],
                            "command": [
                                "sh",
                                "-c"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "report-json",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                ".",
                                "/tekton/results/TEST_OUTPUT"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "summary",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                "version"
                            ],
                            "command": [
                                "ec"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "version"
                        },
                        {
                            "args": [
                                "{policy: .policy, key: .key, \"effective-time\": .[\"effective-time\"]}",
                                "/tekton/home/report-json.json"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "show-config"
                        },
                        {
                            "args": [
                                "/tekton/home/text-report.txt"
                            ],
                            "command": [
                                "cat"
                            ],
                            "computeResources": {},
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "detailed-report",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                "--argjson",
                                "strict",
                                "true",
                                "-e",
                                ".result == \"SUCCESS\" or .result == \"WARNING\" or ($strict | not)\n",
                                "/tekton/results/TEST_OUTPUT"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "assert"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The workspace where the snapshot spec json file resides",
                            "name": "data",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "chains.tekton.dev/signed": "true",
                    "kueue.konflux-ci.dev/requests-konflux-ci-dev-token": "1",
                    "pipeline.tekton.dev/release": "b150ab2dbe70ef4c9d499e6bf5dcf5738b5a591b",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "chains-e2e-ktby/results/9fde0800-e3a7-4906-9b48-627823692a6c/records/2fc82add-ef16-422a-b721-db68602f66ed",
                    "results.tekton.dev/result": "chains-e2e-ktby/results/9fde0800-e3a7-4906-9b48-627823692a6c",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/displayName": "Verify Enterprise Contract",
                    "tekton.dev/pipelines.minVersion": "0.19",
                    "tekton.dev/tags": "ec, chains, signature, conftest",
                    "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-72d9a68c827c873c2bd6c2165c51cef5-44434599f4989c2b-01\"}"
                },
                "creationTimestamp": "2026-06-29T22:38:50Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "app.kubernetes.io/version": "0.1",
                    "appstudio.openshift.io/application": "",
                    "kueue.x-k8s.io/priority-class": "konflux-default",
                    "kueue.x-k8s.io/queue-name": "pipelines-queue",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "verify-enterprise-contract-run",
                    "tekton.dev/pipelineRun": "verify-enterprise-contract-run-pmxrn",
                    "tekton.dev/pipelineRunUID": "9fde0800-e3a7-4906-9b48-627823692a6c",
                    "tekton.dev/pipelineTask": "verify-enterprise-contract",
                    "tekton.dev/task": "verify-enterprise-contract"
                },
                "name": "verify-enterprise-contract-run-pmxrn-verify-enterprise-contract",
                "namespace": "chains-e2e-ktby",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "verify-enterprise-contract-run-pmxrn",
                        "uid": "9fde0800-e3a7-4906-9b48-627823692a6c"
                    }
                ],
                "resourceVersion": "54967",
                "uid": "2fc82add-ef16-422a-b721-db68602f66ed"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGES",
                        "value": "{\"application\":\"\",\"componentGroup\":\"\",\"components\":[{\"name\":\"\",\"version\":\"\",\"containerImage\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"source\":{}}],\"artifacts\":{}}"
                    },
                    {
                        "name": "POLICY_CONFIGURATION",
                        "value": "ec-policy"
                    },
                    {
                        "name": "PUBLIC_KEY",
                        "value": "k8s://chains-e2e-ktby/dummy-public-key-bhoyiwrtpc"
                    },
                    {
                        "name": "SSL_CERT_DIR",
                        "value": "/var/run/secrets/kubernetes.io/serviceaccount"
                    },
                    {
                        "name": "STRICT",
                        "value": "true"
                    },
                    {
                        "name": "EFFECTIVE_TIME",
                        "value": "now"
                    },
                    {
                        "name": "IGNORE_REKOR",
                        "value": "true"
                    }
                ],
                "podTemplate": {
                    "nodeSelector": {
                        "konflux-ci.dev/workload": "konflux-tenants"
                    },
                    "tolerations": [
                        {
                            "effect": "NoSchedule",
                            "key": "konflux-ci.dev/workload",
                            "operator": "Equal",
                            "value": "konflux-tenants"
                        }
                    ]
                },
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "verify-enterprise-contract"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/conforma/tekton-task:kf-b345847182602d9a5ce9e957fa76fe02575c8018@sha256:7df8d121c09999d0376e189c1eb8a8263078aab697aa5ee966512f581427a6ce"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "2h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-06-29T22:39:01Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-06-29T22:39:01Z",
                        "message": "\"step-assert\" exited with code 1: Error",
                        "reason": "StepFailed",
                        "status": "False",
                        "type": "Succeeded"
                    }
                ],
                "podName": "verify-enterprise-contract-b22459da8f6fc87cf0b7f0b041433bbf-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "alpha",
                        "enableParamEnum": true,
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7df8d121c09999d0376e189c1eb8a8263078aab697aa5ee966512f581427a6ce"
                        },
                        "entryPoint": "verify-enterprise-contract",
                        "uri": "quay.io/conforma/tekton-task"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782772739\",\"namespace\":\"\",\"successes\":0,\"failures\":2,\"warnings\":0,\"result\":\"FAILURE\"}\n"
                    }
                ],
                "spanContext": {
                    "traceparent": "00-72d9a68c827c873c2bd6c2165c51cef5-44434599f4989c2b-01"
                },
                "startTime": "2026-06-29T22:38:50Z",
                "steps": [
                    {
                        "container": "step-initialize-tuf",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "initialize-tuf",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://b62106e60031709d9a9534d7dadffecdd3c469676bfc041f29625204d6813c35",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:56Z",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:56Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-reduce",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "reduce",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://ed4b1e0bcea311f2c6466f940ee6de0d8da84140591ce87d3dc03a9379540ba7",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:56Z",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:56Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-validate",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "validate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://092bc67e750122597c7097cac7d8e6615b6c637e54c42220be5e8b6d035a4dfb",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:59Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772739\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":0,\\\"failures\\\":2,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:56Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-report-json",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "report-json",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://251d01470ac5254c9e495cd75d06134157ca1974c50b4e82d131ca297f1e6756",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:00Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772739\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":0,\\\"failures\\\":2,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:00Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-summary",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "summary",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://354faf9ee2c1ac44989741d21d47459d088695dff39ed7c5b515edfc9cab8c28",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:00Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772739\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":0,\\\"failures\\\":2,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:00Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-version",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "version",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://77f517d8ef4f811f3f1fe5101aee3a55cd12474ae3e93f950b076106aed34c0e",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:00Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772739\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":0,\\\"failures\\\":2,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:00Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-show-config",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "show-config",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://bd12c71ca7e21f76c275a880e74811bbf9a9fe5b144840dd987c4f84073fda98",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:00Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772739\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":0,\\\"failures\\\":2,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:00Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-detailed-report",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "detailed-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://3c490e118ed35790071d0c4224f9dcc657087494756e27fd45e810c50096c4ff",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:00Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772739\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":0,\\\"failures\\\":2,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:00Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-assert",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "assert",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://b828d447a30eca2493aafdf4cd669aa74302f911f358d28c28c1dd315109ffaf",
                            "exitCode": 1,
                            "finishedAt": "2026-06-29T22:39:00Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772739\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":0,\\\"failures\\\":2,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Error",
                            "startedAt": "2026-06-29T22:39:00Z"
                        },
                        "terminationReason": "Error"
                    }
                ],
                "taskSpec": {
                    "description": "Verify the enterprise contract is met",
                    "params": [
                        {
                            "description": "Spec section of an ApplicationSnapshot resource. Not all fields of the\nresource are required. A minimal example:\n\n```json\n  {\n    \"components\": [\n      {\n        \"containerImage\": \"quay.io/example/repo:latest\"\n      }\n    ]\n  }\n```\n\nEach `containerImage` in the `components` array is validated.\n",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "default": "enterprise-contract-service/default",
                            "description": "Name of the policy configuration (EnterpriseContractPolicy\nresource) to use. `namespace/name` or `name` syntax supported. If\nnamespace is omitted the namespace where the task runs is used.\nYou can also specify a policy configuration using a git url, e.g.\n`github.com/conforma/config//slsa3`.\n",
                            "name": "POLICY_CONFIGURATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Public key used to verify traditional long-lived signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute. Required for traditional signing key verification. Will be ignored if any of CERTIFICATE_IDENTITY, CERTIFICATE_IDENTITY_REGEXP, CERTIFICATE_OIDC_ISSUER, or CERTIFICATE_OIDC_ISSUER_REGEXP are provided.",
                            "name": "PUBLIC_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Rekor host for transparency log lookups",
                            "name": "REKOR_HOST",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Expected identity in the signing certificate for keyless verification. This should be the email or URI that was used when signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.",
                            "name": "CERTIFICATE_IDENTITY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Expected OIDC issuer in the signing certificate for keyless verification. This should match the issuer that provided the identity token used for signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.",
                            "name": "CERTIFICATE_OIDC_ISSUER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Similar to CERTIFICATE_IDENTITY but the value is a regexp that will be matched. Note that CERTIFICATE_IDENTITY takes precedence over this if both are present.",
                            "name": "CERTIFICATE_IDENTITY_REGEXP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Similar to CERTIFICATE_OIDC_ISSUER but a regexp that will be matched. Note that CERTIFICATE_OIDC_ISSUER takes precedence over this if both are present.",
                            "name": "CERTIFICATE_OIDC_ISSUER_REGEXP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip Rekor transparency log checks during validation. Compatible with traditional signing secret signature checks only. If any of the CERTIFICATE_* keyless verification params are present, this value is disregarded and Rekor transparency log checks are included.",
                            "name": "IGNORE_REKOR",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "TUF mirror URL. Provide a value when NOT using public sigstore deployment.",
                            "name": "TUF_MIRROR",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Path to a directory containing SSL certs to be used when communicating\nwith external services. This is useful when using the integrated registry\nand a local instance of Rekor on a development cluster which may use\ncertificates issued by a not-commonly trusted root CA. In such cases,\n`/var/run/secrets/kubernetes.io/serviceaccount` is a good value. Multiple\npaths can be provided by using the `:` separator.\n",
                            "name": "SSL_CERT_DIR",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIGMAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Include rule titles and descriptions in the output. Set to `\"false\"` to disable it.",
                            "name": "INFO",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Fail the task if policy fails. Set to `\"false\"` to disable it.",
                            "name": "STRICT",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Value for the HOME environment variable.",
                            "name": "HOMEDIR",
                            "type": "string"
                        },
                        {
                            "default": "now",
                            "description": "Run policy checks with the provided time.",
                            "name": "EFFECTIVE_TIME",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Merge additional Rego variables into the policy data. Use syntax \"key=value,key2=value2...\"",
                            "name": "EXTRA_RULE_DATA",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Number of parallel workers to use for policy evaluation.",
                            "name": "WORKERS",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Reduce the Snapshot to only the component whose build caused the Snapshot to be created",
                            "name": "SINGLE_COMPONENT",
                            "type": "string"
                        },
                        {
                            "default": "unknown",
                            "description": "Name, including kind, of the Kubernetes resource to query for labels when single component mode is enabled, e.g. pr/somepipeline.\n",
                            "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Kubernetes namespace where the SINGLE_COMPONENT_NAME is found. Only used when single component mode is enabled.\n",
                            "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE_NS",
                            "type": "string"
                        },
                        {
                            "default": "1s",
                            "description": "Base duration for exponential backoff calculation (e.g., \"1s\", \"500ms\")",
                            "name": "RETRY_DURATION",
                            "type": "string"
                        },
                        {
                            "default": "2.0",
                            "description": "Exponential backoff multiplier (e.g., \"2.0\", \"1.5\")",
                            "name": "RETRY_FACTOR",
                            "type": "string"
                        },
                        {
                            "default": "0.1",
                            "description": "Randomness factor for backoff calculation (0.0-1.0, e.g., \"0.1\", \"0.2\")",
                            "name": "RETRY_JITTER",
                            "type": "string"
                        },
                        {
                            "default": "3",
                            "description": "Maximum number of retry attempts",
                            "name": "RETRY_MAX_RETRY",
                            "type": "string"
                        },
                        {
                            "default": "3s",
                            "description": "Maximum wait time between retries (e.g., \"3s\", \"10s\")",
                            "name": "RETRY_MAX_WAIT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Short summary of the policy evaluation for each image",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "HOME",
                                "value": "/tekton/home"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "sigstore",
                                "initialize",
                                "--mirror",
                                "",
                                "--root",
                                "/root.json"
                            ],
                            "command": [
                                "ec"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "initialize-tuf",
                            "when": [
                                {
                                    "operator": "notin",
                                    "values": [
                                        ""
                                    ]
                                }
                            ]
                        },
                        {
                            "command": [
                                "reduce-snapshot.sh"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNAPSHOT",
                                    "value": "{\"application\":\"\",\"componentGroup\":\"\",\"components\":[{\"name\":\"\",\"version\":\"\",\"containerImage\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"source\":{}}],\"artifacts\":{}}"
                                },
                                {
                                    "name": "SINGLE_COMPONENT",
                                    "value": "false"
                                },
                                {
                                    "name": "CUSTOM_RESOURCE",
                                    "value": "unknown"
                                },
                                {
                                    "name": "CUSTOM_RESOURCE_NAMESPACE"
                                },
                                {
                                    "name": "SNAPSHOT_PATH",
                                    "value": "/tekton/home/snapshot.json"
                                }
                            ],
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "reduce",
                            "onError": "continue"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "2Gi"
                                },
                                "requests": {
                                    "cpu": "1800m",
                                    "memory": "2Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_CONFIGURATION",
                                    "value": "ec-policy"
                                },
                                {
                                    "name": "PUBLIC_KEY",
                                    "value": "k8s://chains-e2e-ktby/dummy-public-key-bhoyiwrtpc"
                                },
                                {
                                    "name": "CERTIFICATE_IDENTITY"
                                },
                                {
                                    "name": "CERTIFICATE_OIDC_ISSUER"
                                },
                                {
                                    "name": "CERTIFICATE_IDENTITY_REGEXP"
                                },
                                {
                                    "name": "CERTIFICATE_OIDC_ISSUER_REGEXP"
                                },
                                {
                                    "name": "REKOR_HOST"
                                },
                                {
                                    "name": "IGNORE_REKOR",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKERS",
                                    "value": "1"
                                },
                                {
                                    "name": "INFO",
                                    "value": "true"
                                },
                                {
                                    "name": "EFFECTIVE_TIME",
                                    "value": "now"
                                },
                                {
                                    "name": "EXTRA_RULE_DATA"
                                },
                                {
                                    "name": "RETRY_MAX_WAIT",
                                    "value": "3s"
                                },
                                {
                                    "name": "RETRY_MAX_RETRY",
                                    "value": "3"
                                },
                                {
                                    "name": "RETRY_DURATION",
                                    "value": "1s"
                                },
                                {
                                    "name": "RETRY_FACTOR",
                                    "value": "2.0"
                                },
                                {
                                    "name": "RETRY_JITTER",
                                    "value": "0.1"
                                },
                                {
                                    "name": "HOMEDIR",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "SSL_CERT_DIR",
                                    "value": "/tekton-custom-certs:/etc/ssl/certs:/etc/pki/tls/certs:/system/etc/security/cacerts:/var/run/secrets/kubernetes.io/serviceaccount"
                                }
                            ],
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "validate",
                            "onError": "continue",
                            "script": "#!/bin/bash\nset -euo pipefail\n\ncmd_args=(\n  validate\n  image\n  --images=\"${HOMEDIR}/snapshot.json\"\n  --policy=\"${POLICY_CONFIGURATION}\"\n)\n\n# To keep bash logic as thin as possible we deliberately don't sanitize\n# these params. If something is wrong or missing let Conforma handle it.\n\nif [ -n \"${CERTIFICATE_IDENTITY}\" ] || \\\n   [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ] || \\\n   [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ] || \\\n   [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n  # If *any* of the above are non-empty assume the intention is to\n  # try keyless verification\n\n  if [ -n \"${CERTIFICATE_IDENTITY}\" ]; then\n    cmd_args+=(\n      --certificate-identity=\"${CERTIFICATE_IDENTITY}\"\n    )\n  elif [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ]; then\n    cmd_args+=(\n      --certificate-identity-regexp=\"${CERTIFICATE_IDENTITY_REGEXP}\"\n    )\n  fi\n\n  if [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ]; then\n    cmd_args+=(\n      --certificate-oidc-issuer=\"${CERTIFICATE_OIDC_ISSUER}\"\n    )\n  elif [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n    cmd_args+=(\n      --certificate-oidc-issuer-regexp=\"${CERTIFICATE_OIDC_ISSUER_REGEXP}\"\n    )\n  fi\n\n  # Force --ignore-rekor to false since we need rekor\n  cmd_args+=(\n    --ignore-rekor=false\n  )\nelse\n  # Assume traditional signing secret verification\n  cmd_args+=(\n    --public-key=\"${PUBLIC_KEY}\"\n    --ignore-rekor=\"${IGNORE_REKOR}\"\n  )\nfi\n\ncmd_args+=(\n  --rekor-url=\"${REKOR_HOST}\"\n  --workers=\"${WORKERS}\"\n  --info=\"${INFO}\"\n  --timeout=0\n  --strict=false\n  --show-successes=true\n  --show-policy-docs-link=true\n  --effective-time=\"${EFFECTIVE_TIME}\"\n  --extra-rule-data=\"${EXTRA_RULE_DATA}\"\n  --retry-max-wait=\"${RETRY_MAX_WAIT}\"\n  --retry-max-retry=\"${RETRY_MAX_RETRY}\"\n  --retry-duration=\"${RETRY_DURATION}\"\n  --retry-factor=\"${RETRY_FACTOR}\"\n  --retry-jitter=\"${RETRY_JITTER}\"\n  --output=\"text=${HOMEDIR}/text-report.txt?show-successes=false\"\n  --output=\"json=${HOMEDIR}/report-json.json\"\n  --output=\"appstudio=/tekton/results/TEST_OUTPUT\"\n)\n\n\n# Execute Conforma with constructed arguments\nexec ec \"${cmd_args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "args": [
                                "jq . /tekton/home/report-json.json | awk '{gsub(/^ +/, \"\"); acc += length; if (acc \u003e= 8000) { printf \"\\n\"; acc=length } printf $0 }'"
                            ],
                            "command": [
                                "sh",
                                "-c"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "report-json",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                ".",
                                "/tekton/results/TEST_OUTPUT"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "summary",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                "version"
                            ],
                            "command": [
                                "ec"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "version"
                        },
                        {
                            "args": [
                                "{policy: .policy, key: .key, \"effective-time\": .[\"effective-time\"]}",
                                "/tekton/home/report-json.json"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "show-config"
                        },
                        {
                            "args": [
                                "/tekton/home/text-report.txt"
                            ],
                            "command": [
                                "cat"
                            ],
                            "computeResources": {},
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "detailed-report",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                "--argjson",
                                "strict",
                                "true",
                                "-e",
                                ".result == \"SUCCESS\" or .result == \"WARNING\" or ($strict | not)\n",
                                "/tekton/results/TEST_OUTPUT"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "assert"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The workspace where the snapshot spec json file resides",
                            "name": "data",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "chains.tekton.dev/signed": "true",
                    "kueue.konflux-ci.dev/requests-konflux-ci-dev-token": "1",
                    "pipeline.tekton.dev/release": "b150ab2dbe70ef4c9d499e6bf5dcf5738b5a591b",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "chains-e2e-ktby/results/7a9630e2-5289-4d0b-afef-7a7fc65c3d84/records/46c59181-f255-4193-b98d-e5e08b7d133e",
                    "results.tekton.dev/result": "chains-e2e-ktby/results/7a9630e2-5289-4d0b-afef-7a7fc65c3d84",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/displayName": "Verify Enterprise Contract",
                    "tekton.dev/pipelines.minVersion": "0.19",
                    "tekton.dev/tags": "ec, chains, signature, conftest",
                    "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-8fff830d536c3629152e42a9632ff693-9963566fb3976ccb-01\"}"
                },
                "creationTimestamp": "2026-06-29T22:38:15Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "app.kubernetes.io/version": "0.1",
                    "appstudio.openshift.io/application": "",
                    "kueue.x-k8s.io/priority-class": "konflux-default",
                    "kueue.x-k8s.io/queue-name": "pipelines-queue",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "verify-enterprise-contract-run",
                    "tekton.dev/pipelineRun": "verify-enterprise-contract-run-s6ntq",
                    "tekton.dev/pipelineRunUID": "7a9630e2-5289-4d0b-afef-7a7fc65c3d84",
                    "tekton.dev/pipelineTask": "verify-enterprise-contract",
                    "tekton.dev/task": "verify-enterprise-contract"
                },
                "name": "verify-enterprise-contract-run-s6ntq-verify-enterprise-contract",
                "namespace": "chains-e2e-ktby",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "verify-enterprise-contract-run-s6ntq",
                        "uid": "7a9630e2-5289-4d0b-afef-7a7fc65c3d84"
                    }
                ],
                "resourceVersion": "54391",
                "uid": "46c59181-f255-4193-b98d-e5e08b7d133e"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGES",
                        "value": "{\"application\":\"\",\"componentGroup\":\"\",\"components\":[{\"name\":\"\",\"version\":\"\",\"containerImage\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"source\":{}}],\"artifacts\":{}}"
                    },
                    {
                        "name": "POLICY_CONFIGURATION",
                        "value": "ec-policy"
                    },
                    {
                        "name": "PUBLIC_KEY",
                        "value": "k8s://chains-e2e-ktby/cosign-public-key"
                    },
                    {
                        "name": "SSL_CERT_DIR",
                        "value": "/var/run/secrets/kubernetes.io/serviceaccount"
                    },
                    {
                        "name": "STRICT",
                        "value": "false"
                    },
                    {
                        "name": "EFFECTIVE_TIME",
                        "value": "now"
                    },
                    {
                        "name": "IGNORE_REKOR",
                        "value": "true"
                    }
                ],
                "podTemplate": {
                    "nodeSelector": {
                        "konflux-ci.dev/workload": "konflux-tenants"
                    },
                    "tolerations": [
                        {
                            "effect": "NoSchedule",
                            "key": "konflux-ci.dev/workload",
                            "operator": "Equal",
                            "value": "konflux-tenants"
                        }
                    ]
                },
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "verify-enterprise-contract"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/conforma/tekton-task:kf-b345847182602d9a5ce9e957fa76fe02575c8018@sha256:7df8d121c09999d0376e189c1eb8a8263078aab697aa5ee966512f581427a6ce"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "2h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-06-29T22:38:34Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-06-29T22:38:34Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "verify-enterprise-contract-939d4234ffbadc69e3c583bab37906ab-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "alpha",
                        "enableParamEnum": true,
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7df8d121c09999d0376e189c1eb8a8263078aab697aa5ee966512f581427a6ce"
                        },
                        "entryPoint": "verify-enterprise-contract",
                        "uri": "quay.io/conforma/tekton-task"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782772713\",\"namespace\":\"\",\"successes\":5,\"failures\":1,\"warnings\":0,\"result\":\"FAILURE\"}\n"
                    }
                ],
                "spanContext": {
                    "traceparent": "00-8fff830d536c3629152e42a9632ff693-9963566fb3976ccb-01"
                },
                "startTime": "2026-06-29T22:38:15Z",
                "steps": [
                    {
                        "container": "step-initialize-tuf",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "initialize-tuf",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://a7c63e691d9ae025f16364de71a1ba3d8b4bfcbcfc4cdc4226876164beeddd01",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:27Z",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:27Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-reduce",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "reduce",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://2bac4ef6d7991b02ca23100fb5b863d3ed58da715e39c6384e03d3a897e41c6b",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:27Z",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:27Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-validate",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "validate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://3c13f2ab8c4a85dd40b7e78be62b84207f7da1c75674d9b3f97d5b66e3bbffef",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:33Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772713\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":5,\\\"failures\\\":1,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:27Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-report-json",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "report-json",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://902c6b05586a6ef9f331502dc14f2085f2e8603a7f42d00416c70fc2c9dab552",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:33Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772713\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":5,\\\"failures\\\":1,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-summary",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "summary",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://bc9d23ec76c767bd9f5a59bcf76636b4a3b36d681f07fca2c30d1cfc42a40719",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:33Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772713\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":5,\\\"failures\\\":1,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-version",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "version",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://be49afd064da4976df50f2baa0d5d7c1e4d9f8e3defa9d4553edb7329bd6f4b1",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:34Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772713\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":5,\\\"failures\\\":1,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-show-config",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "show-config",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://f2f4c08075e2881f19b583a7965083f674f39f2fd9c7529e1001e2d7c01e0ff7",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:34Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772713\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":5,\\\"failures\\\":1,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:34Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-detailed-report",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "detailed-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://d8c8a95bae6d2298a5a88da892aaa5f18ecfb22eec94919a85ccb8ca25f1bddd",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:34Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772713\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":5,\\\"failures\\\":1,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:34Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-assert",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "assert",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://58b791cd3ce89428acc7b2c02f071fe9b9c1f28ee10bf7c16790de5812f57cc5",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:38:34Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772713\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":5,\\\"failures\\\":1,\\\"warnings\\\":0,\\\"result\\\":\\\"FAILURE\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:38:34Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Verify the enterprise contract is met",
                    "params": [
                        {
                            "description": "Spec section of an ApplicationSnapshot resource. Not all fields of the\nresource are required. A minimal example:\n\n```json\n  {\n    \"components\": [\n      {\n        \"containerImage\": \"quay.io/example/repo:latest\"\n      }\n    ]\n  }\n```\n\nEach `containerImage` in the `components` array is validated.\n",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "default": "enterprise-contract-service/default",
                            "description": "Name of the policy configuration (EnterpriseContractPolicy\nresource) to use. `namespace/name` or `name` syntax supported. If\nnamespace is omitted the namespace where the task runs is used.\nYou can also specify a policy configuration using a git url, e.g.\n`github.com/conforma/config//slsa3`.\n",
                            "name": "POLICY_CONFIGURATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Public key used to verify traditional long-lived signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute. Required for traditional signing key verification. Will be ignored if any of CERTIFICATE_IDENTITY, CERTIFICATE_IDENTITY_REGEXP, CERTIFICATE_OIDC_ISSUER, or CERTIFICATE_OIDC_ISSUER_REGEXP are provided.",
                            "name": "PUBLIC_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Rekor host for transparency log lookups",
                            "name": "REKOR_HOST",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Expected identity in the signing certificate for keyless verification. This should be the email or URI that was used when signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.",
                            "name": "CERTIFICATE_IDENTITY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Expected OIDC issuer in the signing certificate for keyless verification. This should match the issuer that provided the identity token used for signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.",
                            "name": "CERTIFICATE_OIDC_ISSUER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Similar to CERTIFICATE_IDENTITY but the value is a regexp that will be matched. Note that CERTIFICATE_IDENTITY takes precedence over this if both are present.",
                            "name": "CERTIFICATE_IDENTITY_REGEXP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Similar to CERTIFICATE_OIDC_ISSUER but a regexp that will be matched. Note that CERTIFICATE_OIDC_ISSUER takes precedence over this if both are present.",
                            "name": "CERTIFICATE_OIDC_ISSUER_REGEXP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip Rekor transparency log checks during validation. Compatible with traditional signing secret signature checks only. If any of the CERTIFICATE_* keyless verification params are present, this value is disregarded and Rekor transparency log checks are included.",
                            "name": "IGNORE_REKOR",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "TUF mirror URL. Provide a value when NOT using public sigstore deployment.",
                            "name": "TUF_MIRROR",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Path to a directory containing SSL certs to be used when communicating\nwith external services. This is useful when using the integrated registry\nand a local instance of Rekor on a development cluster which may use\ncertificates issued by a not-commonly trusted root CA. In such cases,\n`/var/run/secrets/kubernetes.io/serviceaccount` is a good value. Multiple\npaths can be provided by using the `:` separator.\n",
                            "name": "SSL_CERT_DIR",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIGMAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Include rule titles and descriptions in the output. Set to `\"false\"` to disable it.",
                            "name": "INFO",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Fail the task if policy fails. Set to `\"false\"` to disable it.",
                            "name": "STRICT",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Value for the HOME environment variable.",
                            "name": "HOMEDIR",
                            "type": "string"
                        },
                        {
                            "default": "now",
                            "description": "Run policy checks with the provided time.",
                            "name": "EFFECTIVE_TIME",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Merge additional Rego variables into the policy data. Use syntax \"key=value,key2=value2...\"",
                            "name": "EXTRA_RULE_DATA",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Number of parallel workers to use for policy evaluation.",
                            "name": "WORKERS",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Reduce the Snapshot to only the component whose build caused the Snapshot to be created",
                            "name": "SINGLE_COMPONENT",
                            "type": "string"
                        },
                        {
                            "default": "unknown",
                            "description": "Name, including kind, of the Kubernetes resource to query for labels when single component mode is enabled, e.g. pr/somepipeline.\n",
                            "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Kubernetes namespace where the SINGLE_COMPONENT_NAME is found. Only used when single component mode is enabled.\n",
                            "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE_NS",
                            "type": "string"
                        },
                        {
                            "default": "1s",
                            "description": "Base duration for exponential backoff calculation (e.g., \"1s\", \"500ms\")",
                            "name": "RETRY_DURATION",
                            "type": "string"
                        },
                        {
                            "default": "2.0",
                            "description": "Exponential backoff multiplier (e.g., \"2.0\", \"1.5\")",
                            "name": "RETRY_FACTOR",
                            "type": "string"
                        },
                        {
                            "default": "0.1",
                            "description": "Randomness factor for backoff calculation (0.0-1.0, e.g., \"0.1\", \"0.2\")",
                            "name": "RETRY_JITTER",
                            "type": "string"
                        },
                        {
                            "default": "3",
                            "description": "Maximum number of retry attempts",
                            "name": "RETRY_MAX_RETRY",
                            "type": "string"
                        },
                        {
                            "default": "3s",
                            "description": "Maximum wait time between retries (e.g., \"3s\", \"10s\")",
                            "name": "RETRY_MAX_WAIT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Short summary of the policy evaluation for each image",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "HOME",
                                "value": "/tekton/home"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "sigstore",
                                "initialize",
                                "--mirror",
                                "",
                                "--root",
                                "/root.json"
                            ],
                            "command": [
                                "ec"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "initialize-tuf",
                            "when": [
                                {
                                    "operator": "notin",
                                    "values": [
                                        ""
                                    ]
                                }
                            ]
                        },
                        {
                            "command": [
                                "reduce-snapshot.sh"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNAPSHOT",
                                    "value": "{\"application\":\"\",\"componentGroup\":\"\",\"components\":[{\"name\":\"\",\"version\":\"\",\"containerImage\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-eqavofstwy@sha256:43480604b950bd6ede5cb0728b6ad8bbbd8ed59154238f2db47e9b7f6b9ef35a\",\"source\":{}}],\"artifacts\":{}}"
                                },
                                {
                                    "name": "SINGLE_COMPONENT",
                                    "value": "false"
                                },
                                {
                                    "name": "CUSTOM_RESOURCE",
                                    "value": "unknown"
                                },
                                {
                                    "name": "CUSTOM_RESOURCE_NAMESPACE"
                                },
                                {
                                    "name": "SNAPSHOT_PATH",
                                    "value": "/tekton/home/snapshot.json"
                                }
                            ],
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "reduce",
                            "onError": "continue"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "2Gi"
                                },
                                "requests": {
                                    "cpu": "1800m",
                                    "memory": "2Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_CONFIGURATION",
                                    "value": "ec-policy"
                                },
                                {
                                    "name": "PUBLIC_KEY",
                                    "value": "k8s://chains-e2e-ktby/cosign-public-key"
                                },
                                {
                                    "name": "CERTIFICATE_IDENTITY"
                                },
                                {
                                    "name": "CERTIFICATE_OIDC_ISSUER"
                                },
                                {
                                    "name": "CERTIFICATE_IDENTITY_REGEXP"
                                },
                                {
                                    "name": "CERTIFICATE_OIDC_ISSUER_REGEXP"
                                },
                                {
                                    "name": "REKOR_HOST"
                                },
                                {
                                    "name": "IGNORE_REKOR",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKERS",
                                    "value": "1"
                                },
                                {
                                    "name": "INFO",
                                    "value": "true"
                                },
                                {
                                    "name": "EFFECTIVE_TIME",
                                    "value": "now"
                                },
                                {
                                    "name": "EXTRA_RULE_DATA"
                                },
                                {
                                    "name": "RETRY_MAX_WAIT",
                                    "value": "3s"
                                },
                                {
                                    "name": "RETRY_MAX_RETRY",
                                    "value": "3"
                                },
                                {
                                    "name": "RETRY_DURATION",
                                    "value": "1s"
                                },
                                {
                                    "name": "RETRY_FACTOR",
                                    "value": "2.0"
                                },
                                {
                                    "name": "RETRY_JITTER",
                                    "value": "0.1"
                                },
                                {
                                    "name": "HOMEDIR",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "SSL_CERT_DIR",
                                    "value": "/tekton-custom-certs:/etc/ssl/certs:/etc/pki/tls/certs:/system/etc/security/cacerts:/var/run/secrets/kubernetes.io/serviceaccount"
                                }
                            ],
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "validate",
                            "onError": "continue",
                            "script": "#!/bin/bash\nset -euo pipefail\n\ncmd_args=(\n  validate\n  image\n  --images=\"${HOMEDIR}/snapshot.json\"\n  --policy=\"${POLICY_CONFIGURATION}\"\n)\n\n# To keep bash logic as thin as possible we deliberately don't sanitize\n# these params. If something is wrong or missing let Conforma handle it.\n\nif [ -n \"${CERTIFICATE_IDENTITY}\" ] || \\\n   [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ] || \\\n   [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ] || \\\n   [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n  # If *any* of the above are non-empty assume the intention is to\n  # try keyless verification\n\n  if [ -n \"${CERTIFICATE_IDENTITY}\" ]; then\n    cmd_args+=(\n      --certificate-identity=\"${CERTIFICATE_IDENTITY}\"\n    )\n  elif [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ]; then\n    cmd_args+=(\n      --certificate-identity-regexp=\"${CERTIFICATE_IDENTITY_REGEXP}\"\n    )\n  fi\n\n  if [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ]; then\n    cmd_args+=(\n      --certificate-oidc-issuer=\"${CERTIFICATE_OIDC_ISSUER}\"\n    )\n  elif [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n    cmd_args+=(\n      --certificate-oidc-issuer-regexp=\"${CERTIFICATE_OIDC_ISSUER_REGEXP}\"\n    )\n  fi\n\n  # Force --ignore-rekor to false since we need rekor\n  cmd_args+=(\n    --ignore-rekor=false\n  )\nelse\n  # Assume traditional signing secret verification\n  cmd_args+=(\n    --public-key=\"${PUBLIC_KEY}\"\n    --ignore-rekor=\"${IGNORE_REKOR}\"\n  )\nfi\n\ncmd_args+=(\n  --rekor-url=\"${REKOR_HOST}\"\n  --workers=\"${WORKERS}\"\n  --info=\"${INFO}\"\n  --timeout=0\n  --strict=false\n  --show-successes=true\n  --show-policy-docs-link=true\n  --effective-time=\"${EFFECTIVE_TIME}\"\n  --extra-rule-data=\"${EXTRA_RULE_DATA}\"\n  --retry-max-wait=\"${RETRY_MAX_WAIT}\"\n  --retry-max-retry=\"${RETRY_MAX_RETRY}\"\n  --retry-duration=\"${RETRY_DURATION}\"\n  --retry-factor=\"${RETRY_FACTOR}\"\n  --retry-jitter=\"${RETRY_JITTER}\"\n  --output=\"text=${HOMEDIR}/text-report.txt?show-successes=false\"\n  --output=\"json=${HOMEDIR}/report-json.json\"\n  --output=\"appstudio=/tekton/results/TEST_OUTPUT\"\n)\n\n\n# Execute Conforma with constructed arguments\nexec ec \"${cmd_args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "args": [
                                "jq . /tekton/home/report-json.json | awk '{gsub(/^ +/, \"\"); acc += length; if (acc \u003e= 8000) { printf \"\\n\"; acc=length } printf $0 }'"
                            ],
                            "command": [
                                "sh",
                                "-c"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "report-json",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                ".",
                                "/tekton/results/TEST_OUTPUT"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "summary",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                "version"
                            ],
                            "command": [
                                "ec"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "version"
                        },
                        {
                            "args": [
                                "{policy: .policy, key: .key, \"effective-time\": .[\"effective-time\"]}",
                                "/tekton/home/report-json.json"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "show-config"
                        },
                        {
                            "args": [
                                "/tekton/home/text-report.txt"
                            ],
                            "command": [
                                "cat"
                            ],
                            "computeResources": {},
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "detailed-report",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                "--argjson",
                                "strict",
                                "false",
                                "-e",
                                ".result == \"SUCCESS\" or .result == \"WARNING\" or ($strict | not)\n",
                                "/tekton/results/TEST_OUTPUT"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "assert"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The workspace where the snapshot spec json file resides",
                            "name": "data",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "chains.tekton.dev/signed": "true",
                    "kueue.konflux-ci.dev/requests-konflux-ci-dev-token": "1",
                    "pipeline.tekton.dev/release": "b150ab2dbe70ef4c9d499e6bf5dcf5738b5a591b",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "chains-e2e-ktby/results/5be10906-b9b5-4824-88e8-8fca4b1a7245/records/03e7b9ec-9922-41f4-91c0-db5a4f145a63",
                    "results.tekton.dev/result": "chains-e2e-ktby/results/5be10906-b9b5-4824-88e8-8fca4b1a7245",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/displayName": "Verify Enterprise Contract",
                    "tekton.dev/pipelines.minVersion": "0.19",
                    "tekton.dev/tags": "ec, chains, signature, conftest",
                    "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-e17c460856230c92c72b7245775fde0a-af6847c5910f9f9d-01\"}"
                },
                "creationTimestamp": "2026-06-29T22:40:25Z",
                "finalizers": [
                    "results.tekton.dev/taskrun",
                    "chains.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "app.kubernetes.io/version": "0.1",
                    "appstudio.openshift.io/application": "",
                    "kueue.x-k8s.io/priority-class": "konflux-default",
                    "kueue.x-k8s.io/queue-name": "pipelines-queue",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "verify-enterprise-contract-run",
                    "tekton.dev/pipelineRun": "verify-enterprise-contract-run-vzhnc",
                    "tekton.dev/pipelineRunUID": "5be10906-b9b5-4824-88e8-8fca4b1a7245",
                    "tekton.dev/pipelineTask": "verify-enterprise-contract",
                    "tekton.dev/task": "verify-enterprise-contract"
                },
                "name": "verify-enterprise-contract-run-vzhnc-verify-enterprise-contract",
                "namespace": "chains-e2e-ktby",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "verify-enterprise-contract-run-vzhnc",
                        "uid": "5be10906-b9b5-4824-88e8-8fca4b1a7245"
                    }
                ],
                "resourceVersion": "56780",
                "uid": "03e7b9ec-9922-41f4-91c0-db5a4f145a63"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGES",
                        "value": "{\"application\":\"\",\"componentGroup\":\"\",\"components\":[{\"name\":\"\",\"version\":\"\",\"containerImage\":\"quay.io/redhat-appstudio-qe/enterprise-contract-tests:e2e-test-unpinned-task-bundle\",\"source\":{}}],\"artifacts\":{}}"
                    },
                    {
                        "name": "POLICY_CONFIGURATION",
                        "value": "ec-policy"
                    },
                    {
                        "name": "PUBLIC_KEY",
                        "value": "k8s://chains-e2e-ktby/unpinned-task-bundle-public-keyqcwanpjtur"
                    },
                    {
                        "name": "SSL_CERT_DIR",
                        "value": "/var/run/secrets/kubernetes.io/serviceaccount"
                    },
                    {
                        "name": "STRICT",
                        "value": "true"
                    },
                    {
                        "name": "EFFECTIVE_TIME",
                        "value": "now"
                    },
                    {
                        "name": "IGNORE_REKOR",
                        "value": "true"
                    }
                ],
                "podTemplate": {
                    "nodeSelector": {
                        "konflux-ci.dev/workload": "konflux-tenants"
                    },
                    "tolerations": [
                        {
                            "effect": "NoSchedule",
                            "key": "konflux-ci.dev/workload",
                            "operator": "Equal",
                            "value": "konflux-tenants"
                        }
                    ]
                },
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "verify-enterprise-contract"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/conforma/tekton-task:kf-b345847182602d9a5ce9e957fa76fe02575c8018@sha256:7df8d121c09999d0376e189c1eb8a8263078aab697aa5ee966512f581427a6ce"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "2h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-06-29T22:40:39Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-06-29T22:40:39Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "verify-enterprise-contract-ef1bacac16d0f23c8269f99263385b25-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "alpha",
                        "enableParamEnum": true,
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7df8d121c09999d0376e189c1eb8a8263078aab697aa5ee966512f581427a6ce"
                        },
                        "entryPoint": "verify-enterprise-contract",
                        "uri": "quay.io/conforma/tekton-task"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782772838\",\"namespace\":\"\",\"successes\":3,\"failures\":0,\"warnings\":16,\"result\":\"WARNING\"}\n"
                    }
                ],
                "spanContext": {
                    "traceparent": "00-e17c460856230c92c72b7245775fde0a-af6847c5910f9f9d-01"
                },
                "startTime": "2026-06-29T22:40:25Z",
                "steps": [
                    {
                        "container": "step-initialize-tuf",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "initialize-tuf",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://409def5b2fb4c52b20a01f08156a8abe7f3436d3d48ce5f8dfc01de4c1d6a9fa",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:31Z",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:31Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-reduce",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "reduce",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://dc211e7a6efca66a6554cccbaa5ee715cca26b40b42d56c2870c5e094336f74a",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:31Z",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:31Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-validate",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "validate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://38e58cf7c17e5f708814f311685a728e258e07c3585ed49e1221cf7edcf4fa38",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:38Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772838\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":3,\\\"failures\\\":0,\\\"warnings\\\":16,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:31Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-report-json",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "report-json",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://8a2e73ed31bb2e7071e76888b78bed95565a8a018ab36861cd98f5ed75ff92b1",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:39Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772838\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":3,\\\"failures\\\":0,\\\"warnings\\\":16,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:39Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-summary",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "summary",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://006d1f8ff6ce561d73bc8961027273dc8db05b72a7b6ab63b88b6c3c6395f1f5",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:39Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772838\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":3,\\\"failures\\\":0,\\\"warnings\\\":16,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:39Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-version",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "version",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://0bd4deab6201663b10b8a3bf2b03e7648ff7deecab9b5dbcf1dc1cc263268ada",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:39Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772838\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":3,\\\"failures\\\":0,\\\"warnings\\\":16,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:39Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-show-config",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "show-config",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://3aafa74d64565fbcd76ad6286a7c4c84fe196491824b4470107b06b8d05c5f00",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:39Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772838\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":3,\\\"failures\\\":0,\\\"warnings\\\":16,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:39Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-detailed-report",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "detailed-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://ce019d8ea539c76a7f0f00322e8497d941d66345ad63984b28ad4af338b14cb4",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:39Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772838\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":3,\\\"failures\\\":0,\\\"warnings\\\":16,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:39Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-assert",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "assert",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://f522d68fc991664858d0d005d548b46534f430adb4c6a74848a79b7bf546b0f9",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:39Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772838\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":3,\\\"failures\\\":0,\\\"warnings\\\":16,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:39Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Verify the enterprise contract is met",
                    "params": [
                        {
                            "description": "Spec section of an ApplicationSnapshot resource. Not all fields of the\nresource are required. A minimal example:\n\n```json\n  {\n    \"components\": [\n      {\n        \"containerImage\": \"quay.io/example/repo:latest\"\n      }\n    ]\n  }\n```\n\nEach `containerImage` in the `components` array is validated.\n",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "default": "enterprise-contract-service/default",
                            "description": "Name of the policy configuration (EnterpriseContractPolicy\nresource) to use. `namespace/name` or `name` syntax supported. If\nnamespace is omitted the namespace where the task runs is used.\nYou can also specify a policy configuration using a git url, e.g.\n`github.com/conforma/config//slsa3`.\n",
                            "name": "POLICY_CONFIGURATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Public key used to verify traditional long-lived signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute. Required for traditional signing key verification. Will be ignored if any of CERTIFICATE_IDENTITY, CERTIFICATE_IDENTITY_REGEXP, CERTIFICATE_OIDC_ISSUER, or CERTIFICATE_OIDC_ISSUER_REGEXP are provided.",
                            "name": "PUBLIC_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Rekor host for transparency log lookups",
                            "name": "REKOR_HOST",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Expected identity in the signing certificate for keyless verification. This should be the email or URI that was used when signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.",
                            "name": "CERTIFICATE_IDENTITY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Expected OIDC issuer in the signing certificate for keyless verification. This should match the issuer that provided the identity token used for signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.",
                            "name": "CERTIFICATE_OIDC_ISSUER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Similar to CERTIFICATE_IDENTITY but the value is a regexp that will be matched. Note that CERTIFICATE_IDENTITY takes precedence over this if both are present.",
                            "name": "CERTIFICATE_IDENTITY_REGEXP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Similar to CERTIFICATE_OIDC_ISSUER but a regexp that will be matched. Note that CERTIFICATE_OIDC_ISSUER takes precedence over this if both are present.",
                            "name": "CERTIFICATE_OIDC_ISSUER_REGEXP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip Rekor transparency log checks during validation. Compatible with traditional signing secret signature checks only. If any of the CERTIFICATE_* keyless verification params are present, this value is disregarded and Rekor transparency log checks are included.",
                            "name": "IGNORE_REKOR",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "TUF mirror URL. Provide a value when NOT using public sigstore deployment.",
                            "name": "TUF_MIRROR",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Path to a directory containing SSL certs to be used when communicating\nwith external services. This is useful when using the integrated registry\nand a local instance of Rekor on a development cluster which may use\ncertificates issued by a not-commonly trusted root CA. In such cases,\n`/var/run/secrets/kubernetes.io/serviceaccount` is a good value. Multiple\npaths can be provided by using the `:` separator.\n",
                            "name": "SSL_CERT_DIR",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIGMAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Include rule titles and descriptions in the output. Set to `\"false\"` to disable it.",
                            "name": "INFO",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Fail the task if policy fails. Set to `\"false\"` to disable it.",
                            "name": "STRICT",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Value for the HOME environment variable.",
                            "name": "HOMEDIR",
                            "type": "string"
                        },
                        {
                            "default": "now",
                            "description": "Run policy checks with the provided time.",
                            "name": "EFFECTIVE_TIME",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Merge additional Rego variables into the policy data. Use syntax \"key=value,key2=value2...\"",
                            "name": "EXTRA_RULE_DATA",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Number of parallel workers to use for policy evaluation.",
                            "name": "WORKERS",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Reduce the Snapshot to only the component whose build caused the Snapshot to be created",
                            "name": "SINGLE_COMPONENT",
                            "type": "string"
                        },
                        {
                            "default": "unknown",
                            "description": "Name, including kind, of the Kubernetes resource to query for labels when single component mode is enabled, e.g. pr/somepipeline.\n",
                            "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Kubernetes namespace where the SINGLE_COMPONENT_NAME is found. Only used when single component mode is enabled.\n",
                            "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE_NS",
                            "type": "string"
                        },
                        {
                            "default": "1s",
                            "description": "Base duration for exponential backoff calculation (e.g., \"1s\", \"500ms\")",
                            "name": "RETRY_DURATION",
                            "type": "string"
                        },
                        {
                            "default": "2.0",
                            "description": "Exponential backoff multiplier (e.g., \"2.0\", \"1.5\")",
                            "name": "RETRY_FACTOR",
                            "type": "string"
                        },
                        {
                            "default": "0.1",
                            "description": "Randomness factor for backoff calculation (0.0-1.0, e.g., \"0.1\", \"0.2\")",
                            "name": "RETRY_JITTER",
                            "type": "string"
                        },
                        {
                            "default": "3",
                            "description": "Maximum number of retry attempts",
                            "name": "RETRY_MAX_RETRY",
                            "type": "string"
                        },
                        {
                            "default": "3s",
                            "description": "Maximum wait time between retries (e.g., \"3s\", \"10s\")",
                            "name": "RETRY_MAX_WAIT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Short summary of the policy evaluation for each image",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "HOME",
                                "value": "/tekton/home"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "sigstore",
                                "initialize",
                                "--mirror",
                                "",
                                "--root",
                                "/root.json"
                            ],
                            "command": [
                                "ec"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "initialize-tuf",
                            "when": [
                                {
                                    "operator": "notin",
                                    "values": [
                                        ""
                                    ]
                                }
                            ]
                        },
                        {
                            "command": [
                                "reduce-snapshot.sh"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNAPSHOT",
                                    "value": "{\"application\":\"\",\"componentGroup\":\"\",\"components\":[{\"name\":\"\",\"version\":\"\",\"containerImage\":\"quay.io/redhat-appstudio-qe/enterprise-contract-tests:e2e-test-unpinned-task-bundle\",\"source\":{}}],\"artifacts\":{}}"
                                },
                                {
                                    "name": "SINGLE_COMPONENT",
                                    "value": "false"
                                },
                                {
                                    "name": "CUSTOM_RESOURCE",
                                    "value": "unknown"
                                },
                                {
                                    "name": "CUSTOM_RESOURCE_NAMESPACE"
                                },
                                {
                                    "name": "SNAPSHOT_PATH",
                                    "value": "/tekton/home/snapshot.json"
                                }
                            ],
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "reduce",
                            "onError": "continue"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "2Gi"
                                },
                                "requests": {
                                    "cpu": "1800m",
                                    "memory": "2Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_CONFIGURATION",
                                    "value": "ec-policy"
                                },
                                {
                                    "name": "PUBLIC_KEY",
                                    "value": "k8s://chains-e2e-ktby/unpinned-task-bundle-public-keyqcwanpjtur"
                                },
                                {
                                    "name": "CERTIFICATE_IDENTITY"
                                },
                                {
                                    "name": "CERTIFICATE_OIDC_ISSUER"
                                },
                                {
                                    "name": "CERTIFICATE_IDENTITY_REGEXP"
                                },
                                {
                                    "name": "CERTIFICATE_OIDC_ISSUER_REGEXP"
                                },
                                {
                                    "name": "REKOR_HOST"
                                },
                                {
                                    "name": "IGNORE_REKOR",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKERS",
                                    "value": "1"
                                },
                                {
                                    "name": "INFO",
                                    "value": "true"
                                },
                                {
                                    "name": "EFFECTIVE_TIME",
                                    "value": "now"
                                },
                                {
                                    "name": "EXTRA_RULE_DATA"
                                },
                                {
                                    "name": "RETRY_MAX_WAIT",
                                    "value": "3s"
                                },
                                {
                                    "name": "RETRY_MAX_RETRY",
                                    "value": "3"
                                },
                                {
                                    "name": "RETRY_DURATION",
                                    "value": "1s"
                                },
                                {
                                    "name": "RETRY_FACTOR",
                                    "value": "2.0"
                                },
                                {
                                    "name": "RETRY_JITTER",
                                    "value": "0.1"
                                },
                                {
                                    "name": "HOMEDIR",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "SSL_CERT_DIR",
                                    "value": "/tekton-custom-certs:/etc/ssl/certs:/etc/pki/tls/certs:/system/etc/security/cacerts:/var/run/secrets/kubernetes.io/serviceaccount"
                                }
                            ],
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "validate",
                            "onError": "continue",
                            "script": "#!/bin/bash\nset -euo pipefail\n\ncmd_args=(\n  validate\n  image\n  --images=\"${HOMEDIR}/snapshot.json\"\n  --policy=\"${POLICY_CONFIGURATION}\"\n)\n\n# To keep bash logic as thin as possible we deliberately don't sanitize\n# these params. If something is wrong or missing let Conforma handle it.\n\nif [ -n \"${CERTIFICATE_IDENTITY}\" ] || \\\n   [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ] || \\\n   [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ] || \\\n   [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n  # If *any* of the above are non-empty assume the intention is to\n  # try keyless verification\n\n  if [ -n \"${CERTIFICATE_IDENTITY}\" ]; then\n    cmd_args+=(\n      --certificate-identity=\"${CERTIFICATE_IDENTITY}\"\n    )\n  elif [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ]; then\n    cmd_args+=(\n      --certificate-identity-regexp=\"${CERTIFICATE_IDENTITY_REGEXP}\"\n    )\n  fi\n\n  if [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ]; then\n    cmd_args+=(\n      --certificate-oidc-issuer=\"${CERTIFICATE_OIDC_ISSUER}\"\n    )\n  elif [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n    cmd_args+=(\n      --certificate-oidc-issuer-regexp=\"${CERTIFICATE_OIDC_ISSUER_REGEXP}\"\n    )\n  fi\n\n  # Force --ignore-rekor to false since we need rekor\n  cmd_args+=(\n    --ignore-rekor=false\n  )\nelse\n  # Assume traditional signing secret verification\n  cmd_args+=(\n    --public-key=\"${PUBLIC_KEY}\"\n    --ignore-rekor=\"${IGNORE_REKOR}\"\n  )\nfi\n\ncmd_args+=(\n  --rekor-url=\"${REKOR_HOST}\"\n  --workers=\"${WORKERS}\"\n  --info=\"${INFO}\"\n  --timeout=0\n  --strict=false\n  --show-successes=true\n  --show-policy-docs-link=true\n  --effective-time=\"${EFFECTIVE_TIME}\"\n  --extra-rule-data=\"${EXTRA_RULE_DATA}\"\n  --retry-max-wait=\"${RETRY_MAX_WAIT}\"\n  --retry-max-retry=\"${RETRY_MAX_RETRY}\"\n  --retry-duration=\"${RETRY_DURATION}\"\n  --retry-factor=\"${RETRY_FACTOR}\"\n  --retry-jitter=\"${RETRY_JITTER}\"\n  --output=\"text=${HOMEDIR}/text-report.txt?show-successes=false\"\n  --output=\"json=${HOMEDIR}/report-json.json\"\n  --output=\"appstudio=/tekton/results/TEST_OUTPUT\"\n)\n\n\n# Execute Conforma with constructed arguments\nexec ec \"${cmd_args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "args": [
                                "jq . /tekton/home/report-json.json | awk '{gsub(/^ +/, \"\"); acc += length; if (acc \u003e= 8000) { printf \"\\n\"; acc=length } printf $0 }'"
                            ],
                            "command": [
                                "sh",
                                "-c"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "report-json",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                ".",
                                "/tekton/results/TEST_OUTPUT"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "summary",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                "version"
                            ],
                            "command": [
                                "ec"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "version"
                        },
                        {
                            "args": [
                                "{policy: .policy, key: .key, \"effective-time\": .[\"effective-time\"]}",
                                "/tekton/home/report-json.json"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "show-config"
                        },
                        {
                            "args": [
                                "/tekton/home/text-report.txt"
                            ],
                            "command": [
                                "cat"
                            ],
                            "computeResources": {},
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "detailed-report",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                "--argjson",
                                "strict",
                                "true",
                                "-e",
                                ".result == \"SUCCESS\" or .result == \"WARNING\" or ($strict | not)\n",
                                "/tekton/results/TEST_OUTPUT"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "assert"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The workspace where the snapshot spec json file resides",
                            "name": "data",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "chains.tekton.dev/signed": "true",
                    "kueue.konflux-ci.dev/requests-konflux-ci-dev-token": "1",
                    "pipeline.tekton.dev/release": "b150ab2dbe70ef4c9d499e6bf5dcf5738b5a591b",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "chains-e2e-ktby/results/5277087d-1cff-4a18-9101-1f135258d19c/records/44d048b3-119f-42e6-a204-d4dd73e5e1a4",
                    "results.tekton.dev/result": "chains-e2e-ktby/results/5277087d-1cff-4a18-9101-1f135258d19c",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/displayName": "Verify Enterprise Contract",
                    "tekton.dev/pipelines.minVersion": "0.19",
                    "tekton.dev/tags": "ec, chains, signature, conftest",
                    "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-08a4005bd62a4384f647f06a7ebb4b13-cad160f870f3a1cd-01\"}"
                },
                "creationTimestamp": "2026-06-29T22:39:35Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "app.kubernetes.io/version": "0.1",
                    "appstudio.openshift.io/application": "",
                    "kueue.x-k8s.io/priority-class": "konflux-default",
                    "kueue.x-k8s.io/queue-name": "pipelines-queue",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "verify-enterprise-contract-run",
                    "tekton.dev/pipelineRun": "verify-enterprise-contract-run-zwk84",
                    "tekton.dev/pipelineRunUID": "5277087d-1cff-4a18-9101-1f135258d19c",
                    "tekton.dev/pipelineTask": "verify-enterprise-contract",
                    "tekton.dev/task": "verify-enterprise-contract"
                },
                "name": "verify-enterprise-contract-run-zwk84-verify-enterprise-contract",
                "namespace": "chains-e2e-ktby",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "verify-enterprise-contract-run-zwk84",
                        "uid": "5277087d-1cff-4a18-9101-1f135258d19c"
                    }
                ],
                "resourceVersion": "56165",
                "uid": "44d048b3-119f-42e6-a204-d4dd73e5e1a4"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGES",
                        "value": "{\"application\":\"\",\"componentGroup\":\"\",\"components\":[{\"name\":\"\",\"version\":\"\",\"containerImage\":\"quay.io/konflux-ci/ec-golden-image:latest\",\"source\":{}}],\"artifacts\":{}}"
                    },
                    {
                        "name": "POLICY_CONFIGURATION",
                        "value": "ec-policy"
                    },
                    {
                        "name": "PUBLIC_KEY",
                        "value": "k8s://chains-e2e-ktby/golden-image-public-keygcxvygygnp"
                    },
                    {
                        "name": "SSL_CERT_DIR",
                        "value": "/var/run/secrets/kubernetes.io/serviceaccount"
                    },
                    {
                        "name": "STRICT",
                        "value": "true"
                    },
                    {
                        "name": "EFFECTIVE_TIME",
                        "value": "now"
                    },
                    {
                        "name": "IGNORE_REKOR",
                        "value": "true"
                    }
                ],
                "podTemplate": {
                    "nodeSelector": {
                        "konflux-ci.dev/workload": "konflux-tenants"
                    },
                    "tolerations": [
                        {
                            "effect": "NoSchedule",
                            "key": "konflux-ci.dev/workload",
                            "operator": "Equal",
                            "value": "konflux-tenants"
                        }
                    ]
                },
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "verify-enterprise-contract"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/conforma/tekton-task:kf-b345847182602d9a5ce9e957fa76fe02575c8018@sha256:7df8d121c09999d0376e189c1eb8a8263078aab697aa5ee966512f581427a6ce"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "2h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-06-29T22:40:07Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-06-29T22:40:07Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "verify-enterprise-contract-53eb25498e9379569ca2b7ddb1250704-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "alpha",
                        "enableParamEnum": true,
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7df8d121c09999d0376e189c1eb8a8263078aab697aa5ee966512f581427a6ce"
                        },
                        "entryPoint": "verify-enterprise-contract",
                        "uri": "quay.io/conforma/tekton-task"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782772806\",\"namespace\":\"\",\"successes\":420,\"failures\":0,\"warnings\":39,\"result\":\"WARNING\"}\n"
                    }
                ],
                "spanContext": {
                    "traceparent": "00-08a4005bd62a4384f647f06a7ebb4b13-cad160f870f3a1cd-01"
                },
                "startTime": "2026-06-29T22:39:35Z",
                "steps": [
                    {
                        "container": "step-initialize-tuf",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "initialize-tuf",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://57cb3567332c38f9ff14bf141d805c45358a95e9cdebdc44a0c817762f2b89d0",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:41Z",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:41Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-reduce",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "reduce",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://f38bd1b4e473b8589942eeaa9cf99868c2a4407ced96831c07f3096f40e8be97",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:39:41Z",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:41Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-validate",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "validate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://836f3f7b53b05ca9dcec2f678cc291c87c42070e37cfe3d1a3cd698f06e39f33",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:06Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772806\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":420,\\\"failures\\\":0,\\\"warnings\\\":39,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:39:41Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-report-json",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "report-json",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://7208e3b0d8a88b8a68a59657a5f7389008678be9e44252e30c6eb05cffefe208",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:06Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772806\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":420,\\\"failures\\\":0,\\\"warnings\\\":39,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:06Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-summary",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "summary",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://8cc6f377e85c0d75cf8ec54dafc3b491441ddbe43848902b7f558a5b9c8d6ff6",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:06Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772806\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":420,\\\"failures\\\":0,\\\"warnings\\\":39,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:06Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-version",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "version",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://44b04597726ed3c156bb06af88c4c4fffb425eab1a6c0985af1636b1391d965e",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:07Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772806\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":420,\\\"failures\\\":0,\\\"warnings\\\":39,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:06Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-show-config",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "show-config",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://18cdf0fbf86d0d3771a901856dca61d7a58bbc557d259d3aad967fd6e2ab2590",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:07Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772806\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":420,\\\"failures\\\":0,\\\"warnings\\\":39,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:07Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-detailed-report",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "detailed-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://49ef2a0bc890557a75d04c6a14a6a3245ed5433c09ca15bc5f72b89b957079a6",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:07Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772806\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":420,\\\"failures\\\":0,\\\"warnings\\\":39,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:07Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-assert",
                        "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                        "name": "assert",
                        "provenance": {},
                        "terminated": {
                            "containerID": "cri-o://6672b824b437377be52816b17b62628bcb5d2fde0a3f9f68d72e011af4a48880",
                            "exitCode": 0,
                            "finishedAt": "2026-06-29T22:40:07Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782772806\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":420,\\\"failures\\\":0,\\\"warnings\\\":39,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-06-29T22:40:07Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Verify the enterprise contract is met",
                    "params": [
                        {
                            "description": "Spec section of an ApplicationSnapshot resource. Not all fields of the\nresource are required. A minimal example:\n\n```json\n  {\n    \"components\": [\n      {\n        \"containerImage\": \"quay.io/example/repo:latest\"\n      }\n    ]\n  }\n```\n\nEach `containerImage` in the `components` array is validated.\n",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "default": "enterprise-contract-service/default",
                            "description": "Name of the policy configuration (EnterpriseContractPolicy\nresource) to use. `namespace/name` or `name` syntax supported. If\nnamespace is omitted the namespace where the task runs is used.\nYou can also specify a policy configuration using a git url, e.g.\n`github.com/conforma/config//slsa3`.\n",
                            "name": "POLICY_CONFIGURATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Public key used to verify traditional long-lived signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute. Required for traditional signing key verification. Will be ignored if any of CERTIFICATE_IDENTITY, CERTIFICATE_IDENTITY_REGEXP, CERTIFICATE_OIDC_ISSUER, or CERTIFICATE_OIDC_ISSUER_REGEXP are provided.",
                            "name": "PUBLIC_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Rekor host for transparency log lookups",
                            "name": "REKOR_HOST",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Expected identity in the signing certificate for keyless verification. This should be the email or URI that was used when signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.",
                            "name": "CERTIFICATE_IDENTITY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Expected OIDC issuer in the signing certificate for keyless verification. This should match the issuer that provided the identity token used for signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.",
                            "name": "CERTIFICATE_OIDC_ISSUER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Similar to CERTIFICATE_IDENTITY but the value is a regexp that will be matched. Note that CERTIFICATE_IDENTITY takes precedence over this if both are present.",
                            "name": "CERTIFICATE_IDENTITY_REGEXP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Similar to CERTIFICATE_OIDC_ISSUER but a regexp that will be matched. Note that CERTIFICATE_OIDC_ISSUER takes precedence over this if both are present.",
                            "name": "CERTIFICATE_OIDC_ISSUER_REGEXP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip Rekor transparency log checks during validation. Compatible with traditional signing secret signature checks only. If any of the CERTIFICATE_* keyless verification params are present, this value is disregarded and Rekor transparency log checks are included.",
                            "name": "IGNORE_REKOR",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "TUF mirror URL. Provide a value when NOT using public sigstore deployment.",
                            "name": "TUF_MIRROR",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Path to a directory containing SSL certs to be used when communicating\nwith external services. This is useful when using the integrated registry\nand a local instance of Rekor on a development cluster which may use\ncertificates issued by a not-commonly trusted root CA. In such cases,\n`/var/run/secrets/kubernetes.io/serviceaccount` is a good value. Multiple\npaths can be provided by using the `:` separator.\n",
                            "name": "SSL_CERT_DIR",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIGMAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Include rule titles and descriptions in the output. Set to `\"false\"` to disable it.",
                            "name": "INFO",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Fail the task if policy fails. Set to `\"false\"` to disable it.",
                            "name": "STRICT",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Value for the HOME environment variable.",
                            "name": "HOMEDIR",
                            "type": "string"
                        },
                        {
                            "default": "now",
                            "description": "Run policy checks with the provided time.",
                            "name": "EFFECTIVE_TIME",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Merge additional Rego variables into the policy data. Use syntax \"key=value,key2=value2...\"",
                            "name": "EXTRA_RULE_DATA",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Number of parallel workers to use for policy evaluation.",
                            "name": "WORKERS",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Reduce the Snapshot to only the component whose build caused the Snapshot to be created",
                            "name": "SINGLE_COMPONENT",
                            "type": "string"
                        },
                        {
                            "default": "unknown",
                            "description": "Name, including kind, of the Kubernetes resource to query for labels when single component mode is enabled, e.g. pr/somepipeline.\n",
                            "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Kubernetes namespace where the SINGLE_COMPONENT_NAME is found. Only used when single component mode is enabled.\n",
                            "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE_NS",
                            "type": "string"
                        },
                        {
                            "default": "1s",
                            "description": "Base duration for exponential backoff calculation (e.g., \"1s\", \"500ms\")",
                            "name": "RETRY_DURATION",
                            "type": "string"
                        },
                        {
                            "default": "2.0",
                            "description": "Exponential backoff multiplier (e.g., \"2.0\", \"1.5\")",
                            "name": "RETRY_FACTOR",
                            "type": "string"
                        },
                        {
                            "default": "0.1",
                            "description": "Randomness factor for backoff calculation (0.0-1.0, e.g., \"0.1\", \"0.2\")",
                            "name": "RETRY_JITTER",
                            "type": "string"
                        },
                        {
                            "default": "3",
                            "description": "Maximum number of retry attempts",
                            "name": "RETRY_MAX_RETRY",
                            "type": "string"
                        },
                        {
                            "default": "3s",
                            "description": "Maximum wait time between retries (e.g., \"3s\", \"10s\")",
                            "name": "RETRY_MAX_WAIT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Short summary of the policy evaluation for each image",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "HOME",
                                "value": "/tekton/home"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "sigstore",
                                "initialize",
                                "--mirror",
                                "",
                                "--root",
                                "/root.json"
                            ],
                            "command": [
                                "ec"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "initialize-tuf",
                            "when": [
                                {
                                    "operator": "notin",
                                    "values": [
                                        ""
                                    ]
                                }
                            ]
                        },
                        {
                            "command": [
                                "reduce-snapshot.sh"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNAPSHOT",
                                    "value": "{\"application\":\"\",\"componentGroup\":\"\",\"components\":[{\"name\":\"\",\"version\":\"\",\"containerImage\":\"quay.io/konflux-ci/ec-golden-image:latest\",\"source\":{}}],\"artifacts\":{}}"
                                },
                                {
                                    "name": "SINGLE_COMPONENT",
                                    "value": "false"
                                },
                                {
                                    "name": "CUSTOM_RESOURCE",
                                    "value": "unknown"
                                },
                                {
                                    "name": "CUSTOM_RESOURCE_NAMESPACE"
                                },
                                {
                                    "name": "SNAPSHOT_PATH",
                                    "value": "/tekton/home/snapshot.json"
                                }
                            ],
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "reduce",
                            "onError": "continue"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "2Gi"
                                },
                                "requests": {
                                    "cpu": "1800m",
                                    "memory": "2Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_CONFIGURATION",
                                    "value": "ec-policy"
                                },
                                {
                                    "name": "PUBLIC_KEY",
                                    "value": "k8s://chains-e2e-ktby/golden-image-public-keygcxvygygnp"
                                },
                                {
                                    "name": "CERTIFICATE_IDENTITY"
                                },
                                {
                                    "name": "CERTIFICATE_OIDC_ISSUER"
                                },
                                {
                                    "name": "CERTIFICATE_IDENTITY_REGEXP"
                                },
                                {
                                    "name": "CERTIFICATE_OIDC_ISSUER_REGEXP"
                                },
                                {
                                    "name": "REKOR_HOST"
                                },
                                {
                                    "name": "IGNORE_REKOR",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKERS",
                                    "value": "1"
                                },
                                {
                                    "name": "INFO",
                                    "value": "true"
                                },
                                {
                                    "name": "EFFECTIVE_TIME",
                                    "value": "now"
                                },
                                {
                                    "name": "EXTRA_RULE_DATA"
                                },
                                {
                                    "name": "RETRY_MAX_WAIT",
                                    "value": "3s"
                                },
                                {
                                    "name": "RETRY_MAX_RETRY",
                                    "value": "3"
                                },
                                {
                                    "name": "RETRY_DURATION",
                                    "value": "1s"
                                },
                                {
                                    "name": "RETRY_FACTOR",
                                    "value": "2.0"
                                },
                                {
                                    "name": "RETRY_JITTER",
                                    "value": "0.1"
                                },
                                {
                                    "name": "HOMEDIR",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "SSL_CERT_DIR",
                                    "value": "/tekton-custom-certs:/etc/ssl/certs:/etc/pki/tls/certs:/system/etc/security/cacerts:/var/run/secrets/kubernetes.io/serviceaccount"
                                }
                            ],
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "validate",
                            "onError": "continue",
                            "script": "#!/bin/bash\nset -euo pipefail\n\ncmd_args=(\n  validate\n  image\n  --images=\"${HOMEDIR}/snapshot.json\"\n  --policy=\"${POLICY_CONFIGURATION}\"\n)\n\n# To keep bash logic as thin as possible we deliberately don't sanitize\n# these params. If something is wrong or missing let Conforma handle it.\n\nif [ -n \"${CERTIFICATE_IDENTITY}\" ] || \\\n   [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ] || \\\n   [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ] || \\\n   [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n  # If *any* of the above are non-empty assume the intention is to\n  # try keyless verification\n\n  if [ -n \"${CERTIFICATE_IDENTITY}\" ]; then\n    cmd_args+=(\n      --certificate-identity=\"${CERTIFICATE_IDENTITY}\"\n    )\n  elif [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ]; then\n    cmd_args+=(\n      --certificate-identity-regexp=\"${CERTIFICATE_IDENTITY_REGEXP}\"\n    )\n  fi\n\n  if [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ]; then\n    cmd_args+=(\n      --certificate-oidc-issuer=\"${CERTIFICATE_OIDC_ISSUER}\"\n    )\n  elif [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n    cmd_args+=(\n      --certificate-oidc-issuer-regexp=\"${CERTIFICATE_OIDC_ISSUER_REGEXP}\"\n    )\n  fi\n\n  # Force --ignore-rekor to false since we need rekor\n  cmd_args+=(\n    --ignore-rekor=false\n  )\nelse\n  # Assume traditional signing secret verification\n  cmd_args+=(\n    --public-key=\"${PUBLIC_KEY}\"\n    --ignore-rekor=\"${IGNORE_REKOR}\"\n  )\nfi\n\ncmd_args+=(\n  --rekor-url=\"${REKOR_HOST}\"\n  --workers=\"${WORKERS}\"\n  --info=\"${INFO}\"\n  --timeout=0\n  --strict=false\n  --show-successes=true\n  --show-policy-docs-link=true\n  --effective-time=\"${EFFECTIVE_TIME}\"\n  --extra-rule-data=\"${EXTRA_RULE_DATA}\"\n  --retry-max-wait=\"${RETRY_MAX_WAIT}\"\n  --retry-max-retry=\"${RETRY_MAX_RETRY}\"\n  --retry-duration=\"${RETRY_DURATION}\"\n  --retry-factor=\"${RETRY_FACTOR}\"\n  --retry-jitter=\"${RETRY_JITTER}\"\n  --output=\"text=${HOMEDIR}/text-report.txt?show-successes=false\"\n  --output=\"json=${HOMEDIR}/report-json.json\"\n  --output=\"appstudio=/tekton/results/TEST_OUTPUT\"\n)\n\n\n# Execute Conforma with constructed arguments\nexec ec \"${cmd_args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "args": [
                                "jq . /tekton/home/report-json.json | awk '{gsub(/^ +/, \"\"); acc += length; if (acc \u003e= 8000) { printf \"\\n\"; acc=length } printf $0 }'"
                            ],
                            "command": [
                                "sh",
                                "-c"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "report-json",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                ".",
                                "/tekton/results/TEST_OUTPUT"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "summary",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                "version"
                            ],
                            "command": [
                                "ec"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "version"
                        },
                        {
                            "args": [
                                "{policy: .policy, key: .key, \"effective-time\": .[\"effective-time\"]}",
                                "/tekton/home/report-json.json"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "show-config"
                        },
                        {
                            "args": [
                                "/tekton/home/text-report.txt"
                            ],
                            "command": [
                                "cat"
                            ],
                            "computeResources": {},
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "detailed-report",
                            "onError": "continue"
                        },
                        {
                            "args": [
                                "--argjson",
                                "strict",
                                "true",
                                "-e",
                                ".result == \"SUCCESS\" or .result == \"WARNING\" or ($strict | not)\n",
                                "/tekton/results/TEST_OUTPUT"
                            ],
                            "command": [
                                "jq"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d",
                            "name": "assert"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The workspace where the snapshot spec json file resides",
                            "name": "data",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "chains.tekton.dev/signed": "true",
                    "kueue.konflux-ci.dev/requests-konflux-ci-dev-token": "1",
                    "kueue.konflux-ci.dev/requests-mintmaker": "1",
                    "pipeline.tekton.dev/release": "b150ab2dbe70ef4c9d499e6bf5dcf5738b5a591b",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "mintmaker/results/3725cf44-b5d1-47da-bc0a-fd79b0240db9/records/e2b17223-deeb-4408-9353-a04638b6f7f8",
                    "results.tekton.dev/result": "mintmaker/results/3725cf44-b5d1-47da-bc0a-fd79b0240db9",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-4603dab14c6b96357fe1fda5a42d87dc-137ae56f8807b1e1-01\"}"
                },
                "creationTimestamp": "2026-06-30T00:00:17Z",
                "finalizers": [
                    "results.tekton.dev/taskrun",
                    "chains.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "kueue.x-k8s.io/priority-class": "konflux-dependency-update",
                    "kueue.x-k8s.io/queue-name": "pipelines-queue",
                    "mintmaker.appstudio.redhat.com/application": "moshekipod-backwards-compat-dr",
                    "mintmaker.appstudio.redhat.com/branch": "main",
                    "mintmaker.appstudio.redhat.com/component": "mathwizz-frontend",
                    "mintmaker.appstudio.redhat.com/git-host": "github.com",
                    "mintmaker.appstudio.redhat.com/git-platform": "github",
                    "mintmaker.appstudio.redhat.com/namespace": "dr-test-moshekipod-backwards-compat-dr",
                    "mintmaker.appstudio.redhat.com/repo-branch-hash": "34f8a1242bd7",
                    "mintmaker.appstudio.redhat.com/repository": "redhat-appstudio-qe_DR-MathWizz-ybfklp",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "renovate-06300000-c089aa0f",
                    "tekton.dev/pipelineRun": "renovate-06300000-c089aa0f",
                    "tekton.dev/pipelineRunUID": "3725cf44-b5d1-47da-bc0a-fd79b0240db9",
                    "tekton.dev/pipelineTask": "build"
                },
                "name": "renovate-06300000-c089aa0f-build",
                "namespace": "mintmaker",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "renovate-06300000-c089aa0f",
                        "uid": "3725cf44-b5d1-47da-bc0a-fd79b0240db9"
                    }
                ],
                "resourceVersion": "120296",
                "uid": "e2b17223-deeb-4408-9353-a04638b6f7f8"
            },
            "spec": {
                "podTemplate": {
                    "nodeSelector": {
                        "konflux-ci.dev/workload": "konflux-tenants"
                    },
                    "tolerations": [
                        {
                            "effect": "NoSchedule",
                            "key": "konflux-ci.dev/workload",
                            "operator": "Equal",
                            "value": "konflux-tenants"
                        }
                    ]
                },
                "serviceAccountName": "mintmaker-controller-manager",
                "taskSpec": {
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mintmaker-osv-database:latest",
                            "name": "prepare-db",
                            "script": "echo 'Copying OSV database to the shared workspace'; cp -r /data/osv-db /workspace/shared-data",
                            "securityContext": {
                                "allowPrivilegeEscalation": false,
                                "capabilities": {
                                    "drop": [
                                        "ALL"
                                    ]
                                },
                                "runAsNonRoot": true,
                                "runAsUser": 1001120000
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "registry.access.redhat.com/ubi9",
                            "name": "prepare-rpm-cert",
                            "script": "[ ! -f \"/etc/renovate/secret/rpm-activationkey\" ] \u0026\u0026 echo 'RPM secret not found. Exiting.' \u0026\u0026 exit 0;echo 'Generating RPM certificate and copying it to shared workspace';KEY_NAME=$(cat /etc/renovate/secret/rpm-activationkey);ORG_ID=$(cat /etc/renovate/secret/rpm-org);subscription-manager register --activationkey=\"$KEY_NAME\" --org=\"$ORG_ID\";mkdir -p /workspace/shared-data/rpm-certs;cp /etc/pki/entitlement/*-key.pem /workspace/shared-data/rpm-certs/key.pem;cp $(find /etc/pki/entitlement -maxdepth 1 -type f -name '*.pem' ! -name '*-key.pem' -print -quit) /workspace/shared-data/rpm-certs/cert.pem",
                            "securityContext": {
                                "allowPrivilegeEscalation": false,
                                "capabilities": {
                                    "drop": [
                                        "ALL"
                                    ]
                                },
                                "runAsUser": 0
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "300m",
                                    "memory": "3584Mi"
                                },
                                "requests": {
                                    "cpu": "300m",
                                    "memory": "3584Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/home/renovate"
                                },
                                {
                                    "name": "LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "LOG_FORMAT",
                                    "value": "json"
                                },
                                {
                                    "name": "OSV_OFFLINE_DISABLE_DOWNLOAD",
                                    "value": "true"
                                },
                                {
                                    "name": "OSV_OFFLINE_ROOT_DIR",
                                    "value": "/workspace/shared-data/osv-db"
                                },
                                {
                                    "name": "DNF_VAR_SSL_CLIENT_KEY",
                                    "value": "/workspace/shared-data/rpm-certs/key.pem"
                                },
                                {
                                    "name": "DNF_VAR_SSL_CLIENT_CERT",
                                    "value": "/workspace/shared-data/rpm-certs/cert.pem"
                                },
                                {
                                    "name": "RENOVATE_X_GITLAB_AUTO_MERGEABLE_CHECK_ATTEMPS",
                                    "value": "7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/mintmaker-renovate-image:latest",
                            "name": "renovate",
                            "script": "RENOVATE_TOKEN=$(cat /etc/renovate/secret/renovate-token) RENOVATE_CONFIG_FILE=/etc/renovate/config/config.js LOG_FILE=/workspace/shared-data/renovate-logs.json renovate || true",
                            "securityContext": {
                                "allowPrivilegeEscalation": false,
                                "capabilities": {
                                    "drop": [
                                        "ALL"
                                    ]
                                },
                                "runAsNonRoot": true,
                                "runAsUser": 1001120000
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/renovate/config",
                                    "name": "configmap-renovate-06300000-c089aa0f",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/renovate/secret",
                                    "name": "secret-renovate-06300000-c089aa0f-61ff9177",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/pki/ca-trust/extracted/pem",
                                    "name": "configmap-trusted-ca-6ct58987ht",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "defaultMode": 420,
                                "items": [
                                    {
                                        "key": "config.js",
                                        "path": "config.js"
                                    }
                                ],
                                "name": "renovate-06300000-c089aa0f",
                                "optional": false
                            },
                            "name": "configmap-renovate-06300000-c089aa0f"
                        },
                        {
                            "name": "secret-renovate-06300000-c089aa0f-61ff9177",
                            "secret": {
                                "defaultMode": 420,
                                "items": [
                                    {
                                        "key": "renovate-token",
                                        "path": "renovate-token"
                                    }
                                ],
                                "optional": false,
                                "secretName": "renovate-06300000-c089aa0f"
                            }
                        },
                        {
                            "configMap": {
                                "defaultMode": 420,
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "tls-ca-bundle.pem"
                                    }
                                ],
                                "name": "trusted-ca-6ct58987ht",
                                "optional": false
                            },
                            "name": "configmap-trusted-ca-6ct58987ht"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "shared-data"
                        }
                    ]
                },
                "timeout": "2h0m0s",
                "workspaces": [
                    {
                        "emptyDir": {},
                        "name": "shared-data"
                    }
                ]
            },
            "status": {
                "completionTime": "2026-06-30T00:02:34Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-06-30T00:02:34Z",
                        "message": "the step \"renovate\" in TaskRun \"renovate-06300000-c089aa0f-build\" failed to pull the image \"\". The pod errored with the message: \"Back-off pulling image \"quay.io/konflux-ci/mintmaker-renovate-image:latest\".\"",
                        "reason": "TaskRunImagePullFailed",
                        "status": "False",
                        "type": "Succeeded"
                    }
                ],
                "podName": "renovate-06300000-c089aa0f-build-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "alpha",
                        "enableParamEnum": true,
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    }
                },
                "spanContext": {
                    "traceparent": "00-4603dab14c6b96357fe1fda5a42d87dc-137ae56f8807b1e1-01"
                },
                "startTime": "2026-06-30T00:00:17Z",
                "steps": [
                    {
                        "container": "step-prepare-db",
                        "imageID": "quay.io/konflux-ci/mintmaker-osv-database@sha256:4f3f22b19067c63d3f1abdcec9a575de985c2d6fa3e422c86ffe4d43242127f4",
                        "name": "prepare-db",
                        "provenance": {},
                        "terminated": {
                            "exitCode": 1,
                            "finishedAt": "2026-06-30T00:02:34Z",
                            "message": "Step prepare-db terminated as pod renovate-06300000-c089aa0f-build-pod is terminated",
                            "reason": "TaskRunImagePullFailed",
                            "startedAt": "2026-06-30T00:00:22Z"
                        },
                        "terminationReason": "TaskRunImagePullFailed"
                    },
                    {
                        "container": "step-prepare-rpm-cert",
                        "imageID": "registry.access.redhat.com/ubi9@sha256:37a15896602263cb998cd3c21919efb433adf9dbd3a7c961da5d8e3083a0db82",
                        "name": "prepare-rpm-cert",
                        "provenance": {},
                        "terminated": {
                            "exitCode": 1,
                            "finishedAt": "2026-06-30T00:02:34Z",
                            "message": "Step prepare-rpm-cert terminated as pod renovate-06300000-c089aa0f-build-pod is terminated",
                            "reason": "TaskRunImagePullFailed",
                            "startedAt": "2026-06-30T00:00:27Z"
                        },
                        "terminationReason": "TaskRunImagePullFailed"
                    },
                    {
                        "container": "step-renovate",
                        "name": "renovate",
                        "provenance": {},
                        "terminated": {
                            "exitCode": 1,
                            "finishedAt": "2026-06-30T00:02:34Z",
                            "message": "Step renovate terminated as pod renovate-06300000-c089aa0f-build-pod is terminated",
                            "reason": "TaskRunImagePullFailed",
                            "startedAt": "2026-06-30T00:00:17Z"
                        },
                        "terminationReason": "TaskRunImagePullFailed"
                    }
                ],
                "taskSpec": {
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mintmaker-osv-database:latest",
                            "name": "prepare-db",
                            "script": "echo 'Copying OSV database to the shared workspace'; cp -r /data/osv-db /workspace/shared-data",
                            "securityContext": {
                                "allowPrivilegeEscalation": false,
                                "capabilities": {
                                    "drop": [
                                        "ALL"
                                    ]
                                },
                                "runAsNonRoot": true,
                                "runAsUser": 1001120000
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "registry.access.redhat.com/ubi9",
                            "name": "prepare-rpm-cert",
                            "script": "[ ! -f \"/etc/renovate/secret/rpm-activationkey\" ] \u0026\u0026 echo 'RPM secret not found. Exiting.' \u0026\u0026 exit 0;echo 'Generating RPM certificate and copying it to shared workspace';KEY_NAME=$(cat /etc/renovate/secret/rpm-activationkey);ORG_ID=$(cat /etc/renovate/secret/rpm-org);subscription-manager register --activationkey=\"$KEY_NAME\" --org=\"$ORG_ID\";mkdir -p /workspace/shared-data/rpm-certs;cp /etc/pki/entitlement/*-key.pem /workspace/shared-data/rpm-certs/key.pem;cp $(find /etc/pki/entitlement -maxdepth 1 -type f -name '*.pem' ! -name '*-key.pem' -print -quit) /workspace/shared-data/rpm-certs/cert.pem",
                            "securityContext": {
                                "allowPrivilegeEscalation": false,
                                "capabilities": {
                                    "drop": [
                                        "ALL"
                                    ]
                                },
                                "runAsUser": 0
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "300m",
                                    "memory": "3584Mi"
                                },
                                "requests": {
                                    "cpu": "300m",
                                    "memory": "3584Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/home/renovate"
                                },
                                {
                                    "name": "LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "LOG_FORMAT",
                                    "value": "json"
                                },
                                {
                                    "name": "OSV_OFFLINE_DISABLE_DOWNLOAD",
                                    "value": "true"
                                },
                                {
                                    "name": "OSV_OFFLINE_ROOT_DIR",
                                    "value": "/workspace/shared-data/osv-db"
                                },
                                {
                                    "name": "DNF_VAR_SSL_CLIENT_KEY",
                                    "value": "/workspace/shared-data/rpm-certs/key.pem"
                                },
                                {
                                    "name": "DNF_VAR_SSL_CLIENT_CERT",
                                    "value": "/workspace/shared-data/rpm-certs/cert.pem"
                                },
                                {
                                    "name": "RENOVATE_X_GITLAB_AUTO_MERGEABLE_CHECK_ATTEMPS",
                                    "value": "7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/mintmaker-renovate-image:latest",
                            "name": "renovate",
                            "script": "RENOVATE_TOKEN=$(cat /etc/renovate/secret/renovate-token) RENOVATE_CONFIG_FILE=/etc/renovate/config/config.js LOG_FILE=/workspace/shared-data/renovate-logs.json renovate || true",
                            "securityContext": {
                                "allowPrivilegeEscalation": false,
                                "capabilities": {
                                    "drop": [
                                        "ALL"
                                    ]
                                },
                                "runAsNonRoot": true,
                                "runAsUser": 1001120000
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/renovate/config",
                                    "name": "configmap-renovate-06300000-c089aa0f",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/renovate/secret",
                                    "name": "secret-renovate-06300000-c089aa0f-61ff9177",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/pki/ca-trust/extracted/pem",
                                    "name": "configmap-trusted-ca-6ct58987ht",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "defaultMode": 420,
                                "items": [
                                    {
                                        "key": "config.js",
                                        "path": "config.js"
                                    }
                                ],
                                "name": "renovate-06300000-c089aa0f",
                                "optional": false
                            },
                            "name": "configmap-renovate-06300000-c089aa0f"
                        },
                        {
                            "name": "secret-renovate-06300000-c089aa0f-61ff9177",
                            "secret": {
                                "defaultMode": 420,
                                "items": [
                                    {
                                        "key": "renovate-token",
                                        "path": "renovate-token"
                                    }
                                ],
                                "optional": false,
                                "secretName": "renovate-06300000-c089aa0f"
                            }
                        },
                        {
                            "configMap": {
                                "defaultMode": 420,
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "tls-ca-bundle.pem"
                                    }
                                ],
                                "name": "trusted-ca-6ct58987ht",
                                "optional": false
                            },
                            "name": "configmap-trusted-ca-6ct58987ht"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "shared-data"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "chains.tekton.dev/signed": "true",
                    "kueue.konflux-ci.dev/requests-konflux-ci-dev-token": "1",
                    "kueue.konflux-ci.dev/requests-mintmaker": "1",
                    "pipeline.tekton.dev/release": "b150ab2dbe70ef4c9d499e6bf5dcf5738b5a591b",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "mintmaker/results/fbadf364-692e-46bf-8efa-b0b76e65876d/records/94fab9b2-3ffc-402e-bbc7-3a047c0ec190",
                    "results.tekton.dev/result": "mintmaker/results/fbadf364-692e-46bf-8efa-b0b76e65876d",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-93f47d57a43a062792883f323bfb05d3-1c592cbc43eb9d76-01\"}"
                },
                "creationTimestamp": "2026-06-30T00:00:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "kueue.x-k8s.io/priority-class": "konflux-dependency-update",
                    "kueue.x-k8s.io/queue-name": "pipelines-queue",
                    "mintmaker.appstudio.redhat.com/application": "kokohazamar-backwards-compat-dr",
                    "mintmaker.appstudio.redhat.com/branch": "main",
                    "mintmaker.appstudio.redhat.com/component": "mathwizz-frontend",
                    "mintmaker.appstudio.redhat.com/git-host": "github.com",
                    "mintmaker.appstudio.redhat.com/git-platform": "github",
                    "mintmaker.appstudio.redhat.com/namespace": "dr-test-kokohazamar-backwards-compat-dr",
                    "mintmaker.appstudio.redhat.com/repo-branch-hash": "751c14f03fc3",
                    "mintmaker.appstudio.redhat.com/repository": "redhat-appstudio-qe_DR-MathWizz-bqyswr",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "renovate-06300000-c6b03658",
                    "tekton.dev/pipelineRun": "renovate-06300000-c6b03658",
                    "tekton.dev/pipelineRunUID": "fbadf364-692e-46bf-8efa-b0b76e65876d",
                    "tekton.dev/pipelineTask": "build"
                },
                "name": "renovate-06300000-c6b03658-build",
                "namespace": "mintmaker",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "renovate-06300000-c6b03658",
                        "uid": "fbadf364-692e-46bf-8efa-b0b76e65876d"
                    }
                ],
                "resourceVersion": "120210",
                "uid": "94fab9b2-3ffc-402e-bbc7-3a047c0ec190"
            },
            "spec": {
                "podTemplate": {
                    "nodeSelector": {
                        "konflux-ci.dev/workload": "konflux-tenants"
                    },
                    "tolerations": [
                        {
                            "effect": "NoSchedule",
                            "key": "konflux-ci.dev/workload",
                            "operator": "Equal",
                            "value": "konflux-tenants"
                        }
                    ]
                },
                "serviceAccountName": "mintmaker-controller-manager",
                "taskSpec": {
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mintmaker-osv-database:latest",
                            "name": "prepare-db",
                            "script": "echo 'Copying OSV database to the shared workspace'; cp -r /data/osv-db /workspace/shared-data",
                            "securityContext": {
                                "allowPrivilegeEscalation": false,
                                "capabilities": {
                                    "drop": [
                                        "ALL"
                                    ]
                                },
                                "runAsNonRoot": true,
                                "runAsUser": 1001120000
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "registry.access.redhat.com/ubi9",
                            "name": "prepare-rpm-cert",
                            "script": "[ ! -f \"/etc/renovate/secret/rpm-activationkey\" ] \u0026\u0026 echo 'RPM secret not found. Exiting.' \u0026\u0026 exit 0;echo 'Generating RPM certificate and copying it to shared workspace';KEY_NAME=$(cat /etc/renovate/secret/rpm-activationkey);ORG_ID=$(cat /etc/renovate/secret/rpm-org);subscription-manager register --activationkey=\"$KEY_NAME\" --org=\"$ORG_ID\";mkdir -p /workspace/shared-data/rpm-certs;cp /etc/pki/entitlement/*-key.pem /workspace/shared-data/rpm-certs/key.pem;cp $(find /etc/pki/entitlement -maxdepth 1 -type f -name '*.pem' ! -name '*-key.pem' -print -quit) /workspace/shared-data/rpm-certs/cert.pem",
                            "securityContext": {
                                "allowPrivilegeEscalation": false,
                                "capabilities": {
                                    "drop": [
                                        "ALL"
                                    ]
                                },
                                "runAsUser": 0
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "300m",
                                    "memory": "3584Mi"
                                },
                                "requests": {
                                    "cpu": "300m",
                                    "memory": "3584Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/home/renovate"
                                },
                                {
                                    "name": "LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "LOG_FORMAT",
                                    "value": "json"
                                },
                                {
                                    "name": "OSV_OFFLINE_DISABLE_DOWNLOAD",
                                    "value": "true"
                                },
                                {
                                    "name": "OSV_OFFLINE_ROOT_DIR",
                                    "value": "/workspace/shared-data/osv-db"
                                },
                                {
                                    "name": "DNF_VAR_SSL_CLIENT_KEY",
                                    "value": "/workspace/shared-data/rpm-certs/key.pem"
                                },
                                {
                                    "name": "DNF_VAR_SSL_CLIENT_CERT",
                                    "value": "/workspace/shared-data/rpm-certs/cert.pem"
                                },
                                {
                                    "name": "RENOVATE_X_GITLAB_AUTO_MERGEABLE_CHECK_ATTEMPS",
                                    "value": "7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/mintmaker-renovate-image:latest",
                            "name": "renovate",
                            "script": "RENOVATE_TOKEN=$(cat /etc/renovate/secret/renovate-token) RENOVATE_CONFIG_FILE=/etc/renovate/config/config.js LOG_FILE=/workspace/shared-data/renovate-logs.json renovate || true",
                            "securityContext": {
                                "allowPrivilegeEscalation": false,
                                "capabilities": {
                                    "drop": [
                                        "ALL"
                                    ]
                                },
                                "runAsNonRoot": true,
                                "runAsUser": 1001120000
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/renovate/config",
                                    "name": "configmap-renovate-06300000-c6b03658",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/renovate/secret",
                                    "name": "secret-renovate-06300000-c6b03658-70bb176d",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/pki/ca-trust/extracted/pem",
                                    "name": "configmap-trusted-ca-6ct58987ht",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "defaultMode": 420,
                                "items": [
                                    {
                                        "key": "config.js",
                                        "path": "config.js"
                                    }
                                ],
                                "name": "renovate-06300000-c6b03658",
                                "optional": false
                            },
                            "name": "configmap-renovate-06300000-c6b03658"
                        },
                        {
                            "name": "secret-renovate-06300000-c6b03658-70bb176d",
                            "secret": {
                                "defaultMode": 420,
                                "items": [
                                    {
                                        "key": "renovate-token",
                                        "path": "renovate-token"
                                    }
                                ],
                                "optional": false,
                                "secretName": "renovate-06300000-c6b03658"
                            }
                        },
                        {
                            "configMap": {
                                "defaultMode": 420,
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "tls-ca-bundle.pem"
                                    }
                                ],
                                "name": "trusted-ca-6ct58987ht",
                                "optional": false
                            },
                            "name": "configmap-trusted-ca-6ct58987ht"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "shared-data"
                        }
                    ]
                },
                "timeout": "2h0m0s",
                "workspaces": [
                    {
                        "emptyDir": {},
                        "name": "shared-data"
                    }
                ]
            },
            "status": {
                "completionTime": "2026-06-30T00:02:30Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-06-30T00:02:30Z",
                        "message": "the step \"renovate\" in TaskRun \"renovate-06300000-c6b03658-build\" failed to pull the image \"\". The pod errored with the message: \"Back-off pulling image \"quay.io/konflux-ci/mintmaker-renovate-image:latest\".\"",
                        "reason": "TaskRunImagePullFailed",
                        "status": "False",
                        "type": "Succeeded"
                    }
                ],
                "podName": "renovate-06300000-c6b03658-build-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "alpha",
                        "enableParamEnum": true,
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    }
                },
                "spanContext": {
                    "traceparent": "00-93f47d57a43a062792883f323bfb05d3-1c592cbc43eb9d76-01"
                },
                "startTime": "2026-06-30T00:00:17Z",
                "steps": [
                    {
                        "container": "step-prepare-db",
                        "imageID": "quay.io/konflux-ci/mintmaker-osv-database@sha256:4f3f22b19067c63d3f1abdcec9a575de985c2d6fa3e422c86ffe4d43242127f4",
                        "name": "prepare-db",
                        "provenance": {},
                        "terminated": {
                            "exitCode": 1,
                            "finishedAt": "2026-06-30T00:02:30Z",
                            "message": "Step prepare-db terminated as pod renovate-06300000-c6b03658-build-pod is terminated",
                            "reason": "TaskRunImagePullFailed",
                            "startedAt": "2026-06-30T00:00:23Z"
                        },
                        "terminationReason": "TaskRunImagePullFailed"
                    },
                    {
                        "container": "step-prepare-rpm-cert",
                        "imageID": "registry.access.redhat.com/ubi9@sha256:37a15896602263cb998cd3c21919efb433adf9dbd3a7c961da5d8e3083a0db82",
                        "name": "prepare-rpm-cert",
                        "provenance": {},
                        "terminated": {
                            "exitCode": 1,
                            "finishedAt": "2026-06-30T00:02:30Z",
                            "message": "Step prepare-rpm-cert terminated as pod renovate-06300000-c6b03658-build-pod is terminated",
                            "reason": "TaskRunImagePullFailed",
                            "startedAt": "2026-06-30T00:00:26Z"
                        },
                        "terminationReason": "TaskRunImagePullFailed"
                    },
                    {
                        "container": "step-renovate",
                        "name": "renovate",
                        "provenance": {},
                        "terminated": {
                            "exitCode": 1,
                            "finishedAt": "2026-06-30T00:02:30Z",
                            "message": "Step renovate terminated as pod renovate-06300000-c6b03658-build-pod is terminated",
                            "reason": "TaskRunImagePullFailed",
                            "startedAt": "2026-06-30T00:00:16Z"
                        },
                        "terminationReason": "TaskRunImagePullFailed"
                    }
                ],
                "taskSpec": {
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mintmaker-osv-database:latest",
                            "name": "prepare-db",
                            "script": "echo 'Copying OSV database to the shared workspace'; cp -r /data/osv-db /workspace/shared-data",
                            "securityContext": {
                                "allowPrivilegeEscalation": false,
                                "capabilities": {
                                    "drop": [
                                        "ALL"
                                    ]
                                },
                                "runAsNonRoot": true,
                                "runAsUser": 1001120000
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "registry.access.redhat.com/ubi9",
                            "name": "prepare-rpm-cert",
                            "script": "[ ! -f \"/etc/renovate/secret/rpm-activationkey\" ] \u0026\u0026 echo 'RPM secret not found. Exiting.' \u0026\u0026 exit 0;echo 'Generating RPM certificate and copying it to shared workspace';KEY_NAME=$(cat /etc/renovate/secret/rpm-activationkey);ORG_ID=$(cat /etc/renovate/secret/rpm-org);subscription-manager register --activationkey=\"$KEY_NAME\" --org=\"$ORG_ID\";mkdir -p /workspace/shared-data/rpm-certs;cp /etc/pki/entitlement/*-key.pem /workspace/shared-data/rpm-certs/key.pem;cp $(find /etc/pki/entitlement -maxdepth 1 -type f -name '*.pem' ! -name '*-key.pem' -print -quit) /workspace/shared-data/rpm-certs/cert.pem",
                            "securityContext": {
                                "allowPrivilegeEscalation": false,
                                "capabilities": {
                                    "drop": [
                                        "ALL"
                                    ]
                                },
                                "runAsUser": 0
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "300m",
                                    "memory": "3584Mi"
                                },
                                "requests": {
                                    "cpu": "300m",
                                    "memory": "3584Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/home/renovate"
                                },
                                {
                                    "name": "LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "LOG_FORMAT",
                                    "value": "json"
                                },
                                {
                                    "name": "OSV_OFFLINE_DISABLE_DOWNLOAD",
                                    "value": "true"
                                },
                                {
                                    "name": "OSV_OFFLINE_ROOT_DIR",
                                    "value": "/workspace/shared-data/osv-db"
                                },
                                {
                                    "name": "DNF_VAR_SSL_CLIENT_KEY",
                                    "value": "/workspace/shared-data/rpm-certs/key.pem"
                                },
                                {
                                    "name": "DNF_VAR_SSL_CLIENT_CERT",
                                    "value": "/workspace/shared-data/rpm-certs/cert.pem"
                                },
                                {
                                    "name": "RENOVATE_X_GITLAB_AUTO_MERGEABLE_CHECK_ATTEMPS",
                                    "value": "7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/mintmaker-renovate-image:latest",
                            "name": "renovate",
                            "script": "RENOVATE_TOKEN=$(cat /etc/renovate/secret/renovate-token) RENOVATE_CONFIG_FILE=/etc/renovate/config/config.js LOG_FILE=/workspace/shared-data/renovate-logs.json renovate || true",
                            "securityContext": {
                                "allowPrivilegeEscalation": false,
                                "capabilities": {
                                    "drop": [
                                        "ALL"
                                    ]
                                },
                                "runAsNonRoot": true,
                                "runAsUser": 1001120000
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/renovate/config",
                                    "name": "configmap-renovate-06300000-c6b03658",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/renovate/secret",
                                    "name": "secret-renovate-06300000-c6b03658-70bb176d",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/pki/ca-trust/extracted/pem",
                                    "name": "configmap-trusted-ca-6ct58987ht",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "defaultMode": 420,
                                "items": [
                                    {
                                        "key": "config.js",
                                        "path": "config.js"
                                    }
                                ],
                                "name": "renovate-06300000-c6b03658",
                                "optional": false
                            },
                            "name": "configmap-renovate-06300000-c6b03658"
                        },
                        {
                            "name": "secret-renovate-06300000-c6b03658-70bb176d",
                            "secret": {
                                "defaultMode": 420,
                                "items": [
                                    {
                                        "key": "renovate-token",
                                        "path": "renovate-token"
                                    }
                                ],
                                "optional": false,
                                "secretName": "renovate-06300000-c6b03658"
                            }
                        },
                        {
                            "configMap": {
                                "defaultMode": 420,
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "tls-ca-bundle.pem"
                                    }
                                ],
                                "name": "trusted-ca-6ct58987ht",
                                "optional": false
                            },
                            "name": "configmap-trusted-ca-6ct58987ht"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "shared-data"
                        }
                    ]
                }
            }
        }
    ],
    "kind": "List",
    "metadata": {
        "resourceVersion": ""
    }
}
