apiVersion: tekton.dev/v1 kind: PipelineRun metadata: annotations: build.appstudio.openshift.io/repo: https://github.com/redhat-appstudio-qe/hacbs-test-project-konflux-demo?rev=58ffd0a360cd540b26caa73605e00c0938f17d5b build.appstudio.redhat.com/commit_sha: 58ffd0a360cd540b26caa73605e00c0938f17d5b build.appstudio.redhat.com/target_branch: base-gufaln chains.tekton.dev/signed: "true" pipelinesascode.tekton.dev/branch: base-gufaln pipelinesascode.tekton.dev/cancel-in-progress: "false" pipelinesascode.tekton.dev/check-run-id: "74565094898" pipelinesascode.tekton.dev/controller-info: '{"name":"default","configmap":"pipelines-as-code","secret":"pipelines-as-code-secret", "gRepo": "pipelines-as-code"}' pipelinesascode.tekton.dev/event-type: push pipelinesascode.tekton.dev/git-auth-secret: pac-gitauth-ghtrmg pipelinesascode.tekton.dev/git-provider: github pipelinesascode.tekton.dev/installation-id: "40773614" pipelinesascode.tekton.dev/log-url: https://console-openshift-console.apps.rosa.kx-950319ea74.0g4b.p3.openshiftapps.com/k8s/ns/konflux-xvul/tekton.dev~v1~PipelineRun/konflux-demo-component-tuah-on-push-nzmw7 pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "base-gufaln" pipelinesascode.tekton.dev/original-prname: konflux-demo-component-tuah-on-push pipelinesascode.tekton.dev/pull-request: "29603" pipelinesascode.tekton.dev/repo-url: https://github.com/redhat-appstudio-qe/hacbs-test-project-konflux-demo pipelinesascode.tekton.dev/repository: konflux-demo-component-tuah pipelinesascode.tekton.dev/scm-reporting-plr-started: "true" pipelinesascode.tekton.dev/sender: rhtap-qe-bots-2 pipelinesascode.tekton.dev/sha: 58ffd0a360cd540b26caa73605e00c0938f17d5b pipelinesascode.tekton.dev/sha-title: |- Merge pull request #29603 from redhat-appstudio-qe/konflux-konflux-demo-component-tuah RHTAP-Qe-App update konflux-demo-component-tuah pipelinesascode.tekton.dev/sha-url: https://github.com/redhat-appstudio-qe/hacbs-test-project-konflux-demo/commit/58ffd0a360cd540b26caa73605e00c0938f17d5b pipelinesascode.tekton.dev/source-branch: refs/heads/base-gufaln pipelinesascode.tekton.dev/source-repo-url: https://github.com/redhat-appstudio-qe/hacbs-test-project-konflux-demo pipelinesascode.tekton.dev/state: completed pipelinesascode.tekton.dev/url-org: redhat-appstudio-qe pipelinesascode.tekton.dev/url-repository: hacbs-test-project-konflux-demo results.tekton.dev/record: konflux-xvul/results/6fce9785-9f96-485b-a54c-090e8483dccc/records/6fce9785-9f96-485b-a54c-090e8483dccc results.tekton.dev/recordSummaryAnnotations: '{"repo":"hacbs-test-project-konflux-demo","commit":"58ffd0a360cd540b26caa73605e00c0938f17d5b","eventType":"push","pull_request-id":29603}' results.tekton.dev/result: konflux-xvul/results/6fce9785-9f96-485b-a54c-090e8483dccc test.appstudio.openshift.io/pr-status: merged creationTimestamp: "2026-05-06T07:14:38Z" finalizers: - results.tekton.dev/pipelinerun - chains.tekton.dev/pipelinerun - pipelinesascode.tekton.dev/finalizer generateName: konflux-demo-component-tuah-on-push- generation: 2 labels: app.kubernetes.io/managed-by: pipelinesascode.tekton.dev app.kubernetes.io/version: v0.43.0 appstudio.openshift.io/application: konflux-demo-app appstudio.openshift.io/component: konflux-demo-component-tuah kueue.x-k8s.io/priority-class: konflux-post-merge-build kueue.x-k8s.io/queue-name: pipelines-queue pipelines.appstudio.openshift.io/type: build pipelinesascode.tekton.dev/cancel-in-progress: "false" pipelinesascode.tekton.dev/check-run-id: "74565094898" pipelinesascode.tekton.dev/event-type: push pipelinesascode.tekton.dev/original-prname: konflux-demo-component-tuah-on-push pipelinesascode.tekton.dev/pull-request: "29603" pipelinesascode.tekton.dev/repository: konflux-demo-component-tuah pipelinesascode.tekton.dev/sha: 58ffd0a360cd540b26caa73605e00c0938f17d5b pipelinesascode.tekton.dev/state: completed pipelinesascode.tekton.dev/url-org: redhat-appstudio-qe pipelinesascode.tekton.dev/url-repository: hacbs-test-project-konflux-demo pipelineservice.appstudio.io/throttled: konflux-demo-component-tuah-on-push-nzmw7-clair-scan tekton.dev/pipeline: konflux-demo-component-tuah-on-push-nzmw7 managedFields: - apiVersion: tekton.dev/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:chains.tekton.dev/signed: {} manager: tekton-chains-controller operation: Apply time: "2026-05-06T07:22:23Z" - apiVersion: tekton.dev/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:test.appstudio.openshift.io/pr-status: {} manager: manager operation: Update time: "2026-05-06T07:14:38Z" - apiVersion: tekton.dev/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:build.appstudio.openshift.io/repo: {} f:build.appstudio.redhat.com/commit_sha: {} f:build.appstudio.redhat.com/target_branch: {} f:pipelinesascode.tekton.dev/branch: {} f:pipelinesascode.tekton.dev/cancel-in-progress: {} f:pipelinesascode.tekton.dev/check-run-id: {} f:pipelinesascode.tekton.dev/controller-info: {} f:pipelinesascode.tekton.dev/event-type: {} f:pipelinesascode.tekton.dev/git-auth-secret: {} f:pipelinesascode.tekton.dev/git-provider: {} f:pipelinesascode.tekton.dev/installation-id: {} f:pipelinesascode.tekton.dev/log-url: {} f:pipelinesascode.tekton.dev/max-keep-runs: {} f:pipelinesascode.tekton.dev/on-cel-expression: {} f:pipelinesascode.tekton.dev/original-prname: {} f:pipelinesascode.tekton.dev/pull-request: {} f:pipelinesascode.tekton.dev/repo-url: {} f:pipelinesascode.tekton.dev/repository: {} f:pipelinesascode.tekton.dev/sender: {} f:pipelinesascode.tekton.dev/sha: {} f:pipelinesascode.tekton.dev/sha-title: {} f:pipelinesascode.tekton.dev/sha-url: {} f:pipelinesascode.tekton.dev/source-branch: {} f:pipelinesascode.tekton.dev/source-repo-url: {} f:pipelinesascode.tekton.dev/url-org: {} f:pipelinesascode.tekton.dev/url-repository: {} f:results.tekton.dev/recordSummaryAnnotations: {} f:generateName: {} f:labels: .: {} f:app.kubernetes.io/managed-by: {} f:app.kubernetes.io/version: {} f:appstudio.openshift.io/application: {} f:appstudio.openshift.io/component: {} f:pipelines.appstudio.openshift.io/type: {} f:pipelinesascode.tekton.dev/cancel-in-progress: {} f:pipelinesascode.tekton.dev/check-run-id: {} f:pipelinesascode.tekton.dev/event-type: {} f:pipelinesascode.tekton.dev/original-prname: {} f:pipelinesascode.tekton.dev/pull-request: {} f:pipelinesascode.tekton.dev/repository: {} f:pipelinesascode.tekton.dev/sha: {} f:pipelinesascode.tekton.dev/url-org: {} f:pipelinesascode.tekton.dev/url-repository: {} f:spec: .: {} f:params: {} f:pipelineSpec: .: {} f:description: {} f:params: {} f:results: {} f:tasks: {} f:workspaces: {} f:taskRunTemplate: .: {} f:serviceAccountName: {} f:workspaces: {} manager: pipelines-as-code-controller operation: Update time: "2026-05-06T07:14:39Z" - apiVersion: tekton.dev/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:finalizers: v:"chains.tekton.dev/pipelinerun": {} f:labels: f:tekton.dev/pipeline: {} manager: controller operation: Update time: "2026-05-06T07:14:52Z" - apiVersion: tekton.dev/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: f:pipelineservice.appstudio.io/throttled: {} manager: exporter operation: Update time: "2026-05-06T07:18:55Z" - apiVersion: tekton.dev/v1 fieldsType: FieldsV1 fieldsV1: f:status: .: {} f:childReferences: {} f:completionTime: {} f:conditions: {} f:pipelineSpec: .: {} f:description: {} f:params: {} f:results: {} f:tasks: {} f:workspaces: {} f:provenance: .: {} f:featureFlags: .: {} f:awaitSidecarReadiness: {} f:coschedule: {} f:enableAPIFields: {} f:enableParamEnum: {} f:enableProvenanceInStatus: {} f:enforceNonfalsifiability: {} f:maxResultSize: {} f:resultExtractionMethod: {} f:runningInEnvWithInjectedSidecars: {} f:verificationNoMatchPolicy: {} f:results: {} f:skippedTasks: {} f:spanContext: .: {} f:traceparent: {} f:startTime: {} manager: controller operation: Update subresource: status time: "2026-05-06T07:22:23Z" - apiVersion: tekton.dev/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:pipelinesascode.tekton.dev/scm-reporting-plr-started: {} f:pipelinesascode.tekton.dev/state: {} f:finalizers: v:"pipelinesascode.tekton.dev/finalizer": {} f:labels: f:pipelinesascode.tekton.dev/state: {} f:spec: f:status: {} manager: pipelines-as-code-watcher operation: Update time: "2026-05-06T07:22:24Z" - apiVersion: tekton.dev/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:results.tekton.dev/record: {} f:results.tekton.dev/result: {} f:finalizers: .: {} v:"results.tekton.dev/pipelinerun": {} manager: watcher operation: Update time: "2026-05-06T07:22:24Z" name: konflux-demo-component-tuah-on-push-nzmw7 namespace: konflux-xvul resourceVersion: "83950" uid: 6fce9785-9f96-485b-a54c-090e8483dccc spec: params: - name: git-url value: https://github.com/redhat-appstudio-qe/hacbs-test-project-konflux-demo - name: revision value: 58ffd0a360cd540b26caa73605e00c0938f17d5b - name: output-image value: quay.io/redhat-appstudio-qe/konflux-xvul/konflux-demo-component-tuah:58ffd0a360cd540b26caa73605e00c0938f17d5b - name: dockerfile value: Dockerfile pipelineSpec: description: | This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ params: - description: Source Repository URL name: git-url type: string - default: "" description: Revision of the Source Repository name: revision type: string - description: Fully Qualified Output Image name: output-image type: string - default: . description: Path to the source code of an application's component from where to build image. name: path-context type: string - default: Dockerfile description: Path to the Dockerfile inside the context specified by parameter path-context name: dockerfile type: string - default: "false" description: Skip checks against built image name: skip-checks type: string - default: "false" description: Execute the build with network isolation name: hermetic type: string - default: "" description: Build dependencies to be prefetched name: prefetch-input type: string - default: "" description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. name: image-expires-after type: string - default: "false" description: Build a source image. name: build-source-image type: string - default: "false" description: Add built image into an OCI image index name: build-image-index type: string - default: docker description: The format for the resulting image's mediaType. Valid values are oci or docker. name: buildah-format type: string - default: "false" description: Enable cache proxy configuration name: enable-cache-proxy type: string - default: "true" description: Use the package registry proxy when prefetching dependencies name: enable-package-registry-proxy type: string - default: . description: Target directories in component's source code to scan with SAST tools. Multiple values should be separated with commas. name: sast-target-dirs type: string - default: [] description: Array of --build-arg values ("arg=value" strings) for buildah name: build-args type: array - default: "" description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file name: build-args-file type: string - default: "false" description: Whether to enable privileged mode, should be used only with remote VMs name: privileged-nested type: string results: - description: "" name: IMAGE_URL value: $(tasks.build-image-index.results.IMAGE_URL) - description: "" name: IMAGE_DIGEST value: $(tasks.build-image-index.results.IMAGE_DIGEST) - description: "" name: CHAINS-GIT_URL value: $(tasks.clone-repository.results.url) - description: "" name: CHAINS-GIT_COMMIT value: $(tasks.clone-repository.results.commit) tasks: - name: init params: - name: enable-cache-proxy value: $(params.enable-cache-proxy) taskRef: params: - name: name value: init - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:90f0e8e134c4bb919956bb095d62365907adeea4fbeb4cebbf5f3f94286bf967 - name: kind value: task resolver: bundles - name: clone-repository params: - name: url value: $(params.git-url) - name: revision value: $(params.revision) - name: ociStorage value: $(params.output-image).git - name: ociArtifactExpiresAfter value: $(params.image-expires-after) runAfter: - init taskRef: params: - name: name value: git-clone-oci-ta - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:13d49df7dc9ae301627e45f95a236011422996152f1bea46cd60217b0f057407 - name: kind value: task resolver: bundles workspaces: - name: basic-auth workspace: git-auth - name: prefetch-dependencies params: - name: input value: $(params.prefetch-input) - name: enable-package-registry-proxy value: $(params.enable-package-registry-proxy) - name: SOURCE_ARTIFACT value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) - name: ociStorage value: $(params.output-image).prefetch - name: ociArtifactExpiresAfter value: $(params.image-expires-after) runAfter: - clone-repository taskRef: params: - name: name value: prefetch-dependencies-oci-ta - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:a2efbcdcecfa5293a622eb356a18f5c88e5714046b214fe8730b43b1a7dbb77d - name: kind value: task resolver: bundles workspaces: - name: git-basic-auth workspace: git-auth - name: netrc workspace: netrc - name: build-container params: - name: IMAGE value: $(params.output-image) - name: DOCKERFILE value: $(params.dockerfile) - name: CONTEXT value: $(params.path-context) - name: HERMETIC value: $(params.hermetic) - name: PREFETCH_INPUT value: $(params.prefetch-input) - name: IMAGE_EXPIRES_AFTER value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) - name: BUILD_ARGS value: - $(params.build-args[*]) - name: BUILD_ARGS_FILE value: $(params.build-args-file) - name: PRIVILEGED_NESTED value: $(params.privileged-nested) - name: SOURCE_URL value: $(tasks.clone-repository.results.url) - name: BUILDAH_FORMAT value: $(params.buildah-format) - name: HTTP_PROXY value: $(tasks.init.results.http-proxy) - name: NO_PROXY value: $(tasks.init.results.no-proxy) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - prefetch-dependencies taskRef: params: - name: name value: buildah-oci-ta - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.9@sha256:681d9f65a7f50cb260ee576ccab551e11d63c549f1e1ef3d201da3c112855bd6 - name: kind value: task resolver: bundles - name: build-image-index params: - name: IMAGE value: $(params.output-image) - name: ALWAYS_BUILD_INDEX value: $(params.build-image-index) - name: IMAGES value: - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) - name: BUILDAH_FORMAT value: $(params.buildah-format) runAfter: - build-container taskRef: params: - name: name value: build-image-index - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.3@sha256:550afde50349e22ec11191ea0db9a49395ab46fef4e8317d820b6e946677ebeb - name: kind value: task resolver: bundles - name: build-source-image params: - name: BINARY_IMAGE value: $(tasks.build-image-index.results.IMAGE_URL) - name: BINARY_IMAGE_DIGEST value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name value: source-build-oci-ta - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:0917cfc7772e82cb8e74743c2104f43bcf2596aceafe87eec6fce69a8cac5f06 - name: kind value: task resolver: bundles when: - input: $(params.build-source-image) operator: in values: - "true" - name: deprecated-base-image-check params: - name: IMAGE_URL value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - build-image-index taskRef: params: - name: name value: deprecated-image-check - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - "false" - name: clair-scan params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - build-image-index taskRef: params: - name: name value: clair-scan - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609 - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - "false" - name: ecosystem-cert-preflight-checks params: - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - build-image-index taskRef: params: - name: name value: ecosystem-cert-preflight-checks - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:e2bcf1174a6dae9969b8f12e94babe2a5881bc77a509f10823b6a9eac6392850 - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - "false" - name: sast-snyk-check params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) - name: TARGET_DIRS value: $(params.sast-target-dirs) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name value: sast-snyk-check-oci-ta - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:8f3ecbeaff579e41b8278f82d7fabac27845db17a8e687ea6c510c0c9aceabbb - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - "false" - name: clamav-scan params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - build-image-index taskRef: params: - name: name value: clamav-scan - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - "false" - name: sast-shell-check params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) - name: TARGET_DIRS value: $(params.sast-target-dirs) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name value: sast-shell-check-oci-ta - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:c4ef47e3b4e0508572d266fb745be7e374c29dc02580328cbe9f4d472a8aca57 - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - "false" - name: sast-unicode-check params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) - name: TARGET_DIRS value: $(params.sast-target-dirs) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name value: sast-unicode-check-oci-ta - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:90efa582de7770d55102b74014a765cd16a25a56f2cf644b56a788c70c4dc749 - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - "false" - name: apply-tags params: - name: IMAGE_URL value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - build-image-index taskRef: params: - name: name value: apply-tags - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:a291081de7fb27f832c6fc3c4b078acf7e6162ca4c085db38b118ca87e8b5b66 - name: kind value: task resolver: bundles - name: push-dockerfile params: - name: IMAGE value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: DOCKERFILE value: $(params.dockerfile) - name: CONTEXT value: $(params.path-context) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name value: push-dockerfile-oci-ta - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.3@sha256:7855471abfe87de080b914f2f3ca27c59e64f6448a7c2435e51435b764494c71 - name: kind value: task resolver: bundles - name: rpms-signature-scan params: - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - build-image-index taskRef: params: - name: name value: rpms-signature-scan - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:4ceea61b0fa81bc5da05afb26d51e06e4843378d739e4d003b062d5d04cc5e90 - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - "false" workspaces: - name: git-auth optional: true - name: netrc optional: true taskRunTemplate: podTemplate: nodeSelector: konflux-ci.dev/workload: konflux-tenants tolerations: - effect: NoSchedule key: konflux-ci.dev/workload operator: Equal value: konflux-tenants serviceAccountName: build-pipeline-konflux-demo-component-tuah timeouts: pipeline: 2h0m0s workspaces: - name: git-auth secret: secretName: pac-gitauth-ghtrmg status: childReferences: - apiVersion: tekton.dev/v1 kind: TaskRun name: konflux-demo-component-tuah-on-push-nzmw7-init pipelineTaskName: init - apiVersion: tekton.dev/v1 kind: TaskRun name: konflux-demo-component-tuah-on-push-nzmw7-clone-repository pipelineTaskName: clone-repository - apiVersion: tekton.dev/v1 kind: TaskRun name: konflux-demo-component-tuah-on-push-nzmw7-prefetch-dependencies pipelineTaskName: prefetch-dependencies - apiVersion: tekton.dev/v1 kind: TaskRun name: konflux-demo-component-tuah-on-push-nzmw7-build-container pipelineTaskName: build-container - apiVersion: tekton.dev/v1 kind: TaskRun name: konflux-demo-component-tuah-on-push-nzmw7-build-image-index pipelineTaskName: build-image-index - apiVersion: tekton.dev/v1 kind: TaskRun name: konf339cd9184eaa40d6c8b009a0529f875-deprecated-base-image-check pipelineTaskName: deprecated-base-image-check whenExpressions: - input: "false" operator: in values: - "false" - apiVersion: tekton.dev/v1 kind: TaskRun name: konflux-demo-component-tuah-on-push-nzmw7-clair-scan pipelineTaskName: clair-scan whenExpressions: - input: "false" operator: in values: - "false" - apiVersion: tekton.dev/v1 kind: TaskRun name: konflux-demo-component-tuah-on-804dafde90575ce8dffde1109b246dd4 pipelineTaskName: ecosystem-cert-preflight-checks whenExpressions: - input: "false" operator: in values: - "false" - apiVersion: tekton.dev/v1 kind: TaskRun name: konflux-demo-component-tuah-on-push-nzmw7-sast-snyk-check pipelineTaskName: sast-snyk-check whenExpressions: - input: "false" operator: in values: - "false" - apiVersion: tekton.dev/v1 kind: TaskRun name: konflux-demo-component-tuah-on-push-nzmw7-clamav-scan pipelineTaskName: clamav-scan whenExpressions: - input: "false" operator: in values: - "false" - apiVersion: tekton.dev/v1 kind: TaskRun name: konflux-demo-component-tuah-on-push-nzmw7-sast-shell-check pipelineTaskName: sast-shell-check whenExpressions: - input: "false" operator: in values: - "false" - apiVersion: tekton.dev/v1 kind: TaskRun name: konflux-demo-component-tuah-on-push-nzmw7-sast-unicode-check pipelineTaskName: sast-unicode-check whenExpressions: - input: "false" operator: in values: - "false" - apiVersion: tekton.dev/v1 kind: TaskRun name: konflux-demo-component-tuah-on-push-nzmw7-apply-tags pipelineTaskName: apply-tags - apiVersion: tekton.dev/v1 kind: TaskRun name: konflux-demo-component-tuah-on-push-nzmw7-push-dockerfile pipelineTaskName: push-dockerfile - apiVersion: tekton.dev/v1 kind: TaskRun name: konflux-demo-component-tuah-on-push-nzmw7-rpms-signature-scan pipelineTaskName: rpms-signature-scan whenExpressions: - input: "false" operator: in values: - "false" completionTime: "2026-05-06T07:22:23Z" conditions: - lastTransitionTime: "2026-05-06T07:22:23Z" message: 'Tasks Completed: 15 (Failed: 1, Cancelled 0), Skipped: 1' reason: Failed status: "False" type: Succeeded pipelineSpec: description: | This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ params: - description: Source Repository URL name: git-url type: string - default: "" description: Revision of the Source Repository name: revision type: string - description: Fully Qualified Output Image name: output-image type: string - default: . description: Path to the source code of an application's component from where to build image. name: path-context type: string - default: Dockerfile description: Path to the Dockerfile inside the context specified by parameter path-context name: dockerfile type: string - default: "false" description: Skip checks against built image name: skip-checks type: string - default: "false" description: Execute the build with network isolation name: hermetic type: string - default: "" description: Build dependencies to be prefetched name: prefetch-input type: string - default: "" description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. name: image-expires-after type: string - default: "false" description: Build a source image. name: build-source-image type: string - default: "false" description: Add built image into an OCI image index name: build-image-index type: string - default: docker description: The format for the resulting image's mediaType. Valid values are oci or docker. name: buildah-format type: string - default: "false" description: Enable cache proxy configuration name: enable-cache-proxy type: string - default: "true" description: Use the package registry proxy when prefetching dependencies name: enable-package-registry-proxy type: string - default: . description: Target directories in component's source code to scan with SAST tools. Multiple values should be separated with commas. name: sast-target-dirs type: string - default: [] description: Array of --build-arg values ("arg=value" strings) for buildah name: build-args type: array - default: "" description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file name: build-args-file type: string - default: "false" description: Whether to enable privileged mode, should be used only with remote VMs name: privileged-nested type: string results: - description: "" name: IMAGE_URL value: $(tasks.build-image-index.results.IMAGE_URL) - description: "" name: IMAGE_DIGEST value: $(tasks.build-image-index.results.IMAGE_DIGEST) - description: "" name: CHAINS-GIT_URL value: $(tasks.clone-repository.results.url) - description: "" name: CHAINS-GIT_COMMIT value: $(tasks.clone-repository.results.commit) tasks: - name: init params: - name: enable-cache-proxy value: "false" taskRef: params: - name: name value: init - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:90f0e8e134c4bb919956bb095d62365907adeea4fbeb4cebbf5f3f94286bf967 - name: kind value: task resolver: bundles - name: clone-repository params: - name: url value: https://github.com/redhat-appstudio-qe/hacbs-test-project-konflux-demo - name: revision value: 58ffd0a360cd540b26caa73605e00c0938f17d5b - name: ociStorage value: quay.io/redhat-appstudio-qe/konflux-xvul/konflux-demo-component-tuah:58ffd0a360cd540b26caa73605e00c0938f17d5b.git - name: ociArtifactExpiresAfter value: "" runAfter: - init taskRef: params: - name: name value: git-clone-oci-ta - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:13d49df7dc9ae301627e45f95a236011422996152f1bea46cd60217b0f057407 - name: kind value: task resolver: bundles workspaces: - name: basic-auth workspace: git-auth - name: prefetch-dependencies params: - name: input value: "" - name: enable-package-registry-proxy value: "true" - name: SOURCE_ARTIFACT value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) - name: ociStorage value: quay.io/redhat-appstudio-qe/konflux-xvul/konflux-demo-component-tuah:58ffd0a360cd540b26caa73605e00c0938f17d5b.prefetch - name: ociArtifactExpiresAfter value: "" runAfter: - clone-repository taskRef: params: - name: name value: prefetch-dependencies-oci-ta - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:a2efbcdcecfa5293a622eb356a18f5c88e5714046b214fe8730b43b1a7dbb77d - name: kind value: task resolver: bundles workspaces: - name: git-basic-auth workspace: git-auth - name: netrc workspace: netrc - name: build-container params: - name: IMAGE value: quay.io/redhat-appstudio-qe/konflux-xvul/konflux-demo-component-tuah:58ffd0a360cd540b26caa73605e00c0938f17d5b - name: DOCKERFILE value: Dockerfile - name: CONTEXT value: . - name: HERMETIC value: "false" - name: PREFETCH_INPUT value: "" - name: IMAGE_EXPIRES_AFTER value: "" - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) - name: BUILD_ARGS value: [] - name: BUILD_ARGS_FILE value: "" - name: PRIVILEGED_NESTED value: "false" - name: SOURCE_URL value: $(tasks.clone-repository.results.url) - name: BUILDAH_FORMAT value: docker - name: HTTP_PROXY value: $(tasks.init.results.http-proxy) - name: NO_PROXY value: $(tasks.init.results.no-proxy) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - prefetch-dependencies taskRef: params: - name: name value: buildah-oci-ta - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.9@sha256:681d9f65a7f50cb260ee576ccab551e11d63c549f1e1ef3d201da3c112855bd6 - name: kind value: task resolver: bundles - name: build-image-index params: - name: IMAGE value: quay.io/redhat-appstudio-qe/konflux-xvul/konflux-demo-component-tuah:58ffd0a360cd540b26caa73605e00c0938f17d5b - name: ALWAYS_BUILD_INDEX value: "false" - name: IMAGES value: - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) - name: BUILDAH_FORMAT value: docker runAfter: - build-container taskRef: params: - name: name value: build-image-index - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.3@sha256:550afde50349e22ec11191ea0db9a49395ab46fef4e8317d820b6e946677ebeb - name: kind value: task resolver: bundles - name: build-source-image params: - name: BINARY_IMAGE value: $(tasks.build-image-index.results.IMAGE_URL) - name: BINARY_IMAGE_DIGEST value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name value: source-build-oci-ta - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:0917cfc7772e82cb8e74743c2104f43bcf2596aceafe87eec6fce69a8cac5f06 - name: kind value: task resolver: bundles when: - input: "false" operator: in values: - "true" - name: deprecated-base-image-check params: - name: IMAGE_URL value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - build-image-index taskRef: params: - name: name value: deprecated-image-check - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae - name: kind value: task resolver: bundles when: - input: "false" operator: in values: - "false" - name: clair-scan params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - build-image-index taskRef: params: - name: name value: clair-scan - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609 - name: kind value: task resolver: bundles when: - input: "false" operator: in values: - "false" - name: ecosystem-cert-preflight-checks params: - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - build-image-index taskRef: params: - name: name value: ecosystem-cert-preflight-checks - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:e2bcf1174a6dae9969b8f12e94babe2a5881bc77a509f10823b6a9eac6392850 - name: kind value: task resolver: bundles when: - input: "false" operator: in values: - "false" - name: sast-snyk-check params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) - name: TARGET_DIRS value: . - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name value: sast-snyk-check-oci-ta - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:8f3ecbeaff579e41b8278f82d7fabac27845db17a8e687ea6c510c0c9aceabbb - name: kind value: task resolver: bundles when: - input: "false" operator: in values: - "false" - name: clamav-scan params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - build-image-index taskRef: params: - name: name value: clamav-scan - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a - name: kind value: task resolver: bundles when: - input: "false" operator: in values: - "false" - name: sast-shell-check params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) - name: TARGET_DIRS value: . - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name value: sast-shell-check-oci-ta - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:c4ef47e3b4e0508572d266fb745be7e374c29dc02580328cbe9f4d472a8aca57 - name: kind value: task resolver: bundles when: - input: "false" operator: in values: - "false" - name: sast-unicode-check params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) - name: TARGET_DIRS value: . - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name value: sast-unicode-check-oci-ta - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:90efa582de7770d55102b74014a765cd16a25a56f2cf644b56a788c70c4dc749 - name: kind value: task resolver: bundles when: - input: "false" operator: in values: - "false" - name: apply-tags params: - name: IMAGE_URL value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - build-image-index taskRef: params: - name: name value: apply-tags - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:a291081de7fb27f832c6fc3c4b078acf7e6162ca4c085db38b118ca87e8b5b66 - name: kind value: task resolver: bundles - name: push-dockerfile params: - name: IMAGE value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: DOCKERFILE value: Dockerfile - name: CONTEXT value: . - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name value: push-dockerfile-oci-ta - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.3@sha256:7855471abfe87de080b914f2f3ca27c59e64f6448a7c2435e51435b764494c71 - name: kind value: task resolver: bundles - name: rpms-signature-scan params: - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - build-image-index taskRef: params: - name: name value: rpms-signature-scan - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:4ceea61b0fa81bc5da05afb26d51e06e4843378d739e4d003b062d5d04cc5e90 - name: kind value: task resolver: bundles when: - input: "false" operator: in values: - "false" workspaces: - name: git-auth optional: true - name: netrc optional: true provenance: featureFlags: awaitSidecarReadiness: true coschedule: workspaces enableAPIFields: alpha enableParamEnum: true enableProvenanceInStatus: true enforceNonfalsifiability: none maxResultSize: 4096 resultExtractionMethod: termination-message runningInEnvWithInjectedSidecars: true verificationNoMatchPolicy: ignore results: - name: IMAGE_URL value: quay.io/redhat-appstudio-qe/konflux-xvul/konflux-demo-component-tuah:58ffd0a360cd540b26caa73605e00c0938f17d5b - name: IMAGE_DIGEST value: sha256:825a44396c4b3844fb37a732a0ca18d4906a58d9c0895591aee34e7b78f279a6 - name: CHAINS-GIT_URL value: https://github.com/redhat-appstudio-qe/hacbs-test-project-konflux-demo - name: CHAINS-GIT_COMMIT value: 58ffd0a360cd540b26caa73605e00c0938f17d5b skippedTasks: - name: build-source-image reason: PipelineRun was stopping whenExpressions: - input: "false" operator: in values: - "true" spanContext: traceparent: 00-8ea3ef0374247f60bbe8d728abaee8b3-f8f3890c3a82a025-01 startTime: "2026-05-06T07:14:39Z"