{ "apiVersion": "v1", "items": [ { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/tree/db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/commit_sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/target_branch": "multi-component-parent-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bylibv", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-parent-rexo-on-push-jsrmh", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-parent-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-parent-rexo' into 'multi-component-parent-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/commit/db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090806", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090806", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/ec410ceb-11bf-405b-a10b-0e280130c3a8/records/6b43375c-d29a-401e-92ff-38b00ba58e67", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-parent-twjokv\",\"commit\":\"db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/ec410ceb-11bf-405b-a10b-0e280130c3a8", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-52bddfe8e2a8557a597db9d1f8b085c3-49d4da9e1460b23a-01\"}" }, "creationTimestamp": "2026-05-11T11:39:58Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-parent-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-parent-rexo-on-push-jsrmh", "tekton.dev/pipelineRun": "gl-multi-component-parent-rexo-on-push-jsrmh", "tekton.dev/pipelineRunUID": "ec410ceb-11bf-405b-a10b-0e280130c3a8", "tekton.dev/pipelineTask": "deprecated-base-image-check", "tekton.dev/task": "deprecated-image-check" }, "name": "gl-0bbc961814f0444858e37db58fc92b8f-deprecated-base-image-check", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-parent-rexo-on-push-jsrmh", "uid": "ec410ceb-11bf-405b-a10b-0e280130c3a8" } ], "resourceVersion": "83906", "uid": "6b43375c-d29a-401e-92ff-38b00ba58e67" }, "spec": { "params": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85" }, { "name": "IMAGE_DIGEST", "value": "sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskRef": { "params": [ { "name": "name", "value": "deprecated-image-check" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:40:11Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:40:11Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-0bbc961814f0444858e37db5a8e301632fc3af550c2cc77cadf0813c-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, "entryPoint": "deprecated-image-check", "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85\", \"digests\": [\"sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:40:10+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":1,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-52bddfe8e2a8557a597db9d1f8b085c3-49d4da9e1460b23a-01" }, "startTime": "2026-05-11T11:39:58Z", "steps": [ { "container": "step-check-images", "imageID": "quay.io/konflux-ci/konflux-test@sha256:3bba1fe5ad96bd3811f34b367487192683aa9b1ba343da4885dda565b0a7207e", "name": "check-images", "provenance": {}, "terminated": { "containerID": "cri-o://f018477757db1e1ba1df7438ea6c4edb7b16f5d739c7578e3273d48b60ce38a2", "exitCode": 0, "finishedAt": "2026-05-11T11:40:10Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85\\\", \\\"digests\\\": [\\\"sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:40:10+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":1,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:40:04Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.", "params": [ { "default": "/project/repository/", "description": "Path to directory containing Conftest policies.", "name": "POLICY_DIR", "type": "string" }, { "default": "required_checks", "description": "Namespace for Conftest policy.", "name": "POLICY_NAMESPACE", "type": "string" }, { "default": "", "description": "Digests of base build images.", "name": "BASE_IMAGES_DIGESTS", "type": "string" }, { "description": "Fully qualified image name.", "name": "IMAGE_URL", "type": "string" }, { "description": "Image digest.", "name": "IMAGE_DIGEST", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "POLICY_DIR", "value": "/project/repository/" }, { "name": "POLICY_NAMESPACE", "value": "required_checks" }, { "name": "BASE_IMAGES_DIGESTS" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85" }, { "name": "IMAGE_DIGEST", "value": "sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9", "name": "check-images", "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n while read -r arch arch_sha; do\n SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n # Get base images from SBOM\n cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n if [ $? -ne 0 ]; then\n echo \"Unable to download sbom for arch $arch.\"\n continue\n fi\n\n \u003c \"${SBOM_FILE_PATH}\" jq -r '\n if .bomFormat == \"CycloneDX\" then\n .formulation[]?\n | .components[]?\n | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n | (\n .purl\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n else\n .packages[]\n | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n | (\n $purls | first\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n end\n ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"Detected base images from $arch SBOM:\"\n cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"\"\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n # Get images from the parameter\n for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n do\n echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n mkdir -p ${IMAGE_REPO_PATH}\n echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n if [ \"$http_code\" == \"200\" ];\n then\n echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${failures_num}\" -gt 0 ]]; then\n echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n fi\n failure_counter=$((failure_counter+failures_num))\n\n successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${successes_num}\" -gt 0 ]]; then\n echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n fi\n success_counter=$((success_counter+successes_num))\n\n elif [ \"$http_code\" == \"404\" ];\n then\n echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n warnings_counter=$((warnings_counter+1))\n else\n echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n error_counter=$((error_counter+1))\n fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n if [[ \"${failure_counter}\" -gt 0 ]]; then\n RES=\"FAILURE\"\n elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n RES=\"WARNING\"\n elif [[ \"${success_counter}\" -eq 0 ]]; then\n # when all counters are 0, there are no base images to check\n note=\"Task deprecated-image-check success: No base images to check.\"\n RES=\"SUCCESS\"\n else\n RES=\"SUCCESS\"\n fi\n TEST_OUTPUT=$(make_result_json \\\n -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/994d9d99adcc535f4413cd0ee7842e23026140c8", "build.appstudio.redhat.com/commit_sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tkaets", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-push-7lsj7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-child-rexo' into 'multi-component-child-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-child-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/f4dc841d-3db4-469a-861d-7027efc5d0d0/records/1dbcd699-f35f-479f-a139-0b91e8e0444b", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"994d9d99adcc535f4413cd0ee7842e23026140c8\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/f4dc841d-3db4-469a-861d-7027efc5d0d0", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-47663917638f344eb09c5f89895d3ab6-fa2b724f903f8c4b-01\"}" }, "creationTimestamp": "2026-05-11T11:39:44Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-push-7lsj7", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-push-7lsj7", "tekton.dev/pipelineRunUID": "f4dc841d-3db4-469a-861d-7027efc5d0d0", "tekton.dev/pipelineTask": "deprecated-base-image-check", "tekton.dev/task": "deprecated-image-check" }, "name": "gl-22b79c3a9d2908c307c4ddce31c15bf9-deprecated-base-image-check", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-push-7lsj7", "uid": "f4dc841d-3db4-469a-861d-7027efc5d0d0" } ], "resourceVersion": "82822", "uid": "1dbcd699-f35f-479f-a139-0b91e8e0444b" }, "spec": { "params": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8" }, { "name": "IMAGE_DIGEST", "value": "sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "deprecated-image-check" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:39:55Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:39:55Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-22b79c3a9d2908c307c4ddcec8654f36c57ddf073e7bbf4fcf2b8edf-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, "entryPoint": "deprecated-image-check", "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8\", \"digests\": [\"sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"WARNING\",\"timestamp\":\"2026-05-11T11:39:55+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":0,\"failures\":0,\"warnings\":1}\n" } ], "spanContext": { "traceparent": "00-47663917638f344eb09c5f89895d3ab6-fa2b724f903f8c4b-01" }, "startTime": "2026-05-11T11:39:44Z", "steps": [ { "container": "step-check-images", "imageID": "quay.io/konflux-ci/konflux-test@sha256:3bba1fe5ad96bd3811f34b367487192683aa9b1ba343da4885dda565b0a7207e", "name": "check-images", "provenance": {}, "terminated": { "containerID": "cri-o://8235e5d05beb4374fa1e4092724ba5744b805a1101d726a83a7c8e34167e1577", "exitCode": 0, "finishedAt": "2026-05-11T11:39:55Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8\\\", \\\"digests\\\": [\\\"sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"WARNING\\\",\\\"timestamp\\\":\\\"2026-05-11T11:39:55+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":1}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:39:49Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.", "params": [ { "default": "/project/repository/", "description": "Path to directory containing Conftest policies.", "name": "POLICY_DIR", "type": "string" }, { "default": "required_checks", "description": "Namespace for Conftest policy.", "name": "POLICY_NAMESPACE", "type": "string" }, { "default": "", "description": "Digests of base build images.", "name": "BASE_IMAGES_DIGESTS", "type": "string" }, { "description": "Fully qualified image name.", "name": "IMAGE_URL", "type": "string" }, { "description": "Image digest.", "name": "IMAGE_DIGEST", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "POLICY_DIR", "value": "/project/repository/" }, { "name": "POLICY_NAMESPACE", "value": "required_checks" }, { "name": "BASE_IMAGES_DIGESTS" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8" }, { "name": "IMAGE_DIGEST", "value": "sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9", "name": "check-images", "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n while read -r arch arch_sha; do\n SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n # Get base images from SBOM\n cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n if [ $? -ne 0 ]; then\n echo \"Unable to download sbom for arch $arch.\"\n continue\n fi\n\n \u003c \"${SBOM_FILE_PATH}\" jq -r '\n if .bomFormat == \"CycloneDX\" then\n .formulation[]?\n | .components[]?\n | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n | (\n .purl\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n else\n .packages[]\n | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n | (\n $purls | first\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n end\n ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"Detected base images from $arch SBOM:\"\n cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"\"\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n # Get images from the parameter\n for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n do\n echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n mkdir -p ${IMAGE_REPO_PATH}\n echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n if [ \"$http_code\" == \"200\" ];\n then\n echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${failures_num}\" -gt 0 ]]; then\n echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n fi\n failure_counter=$((failure_counter+failures_num))\n\n successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${successes_num}\" -gt 0 ]]; then\n echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n fi\n success_counter=$((success_counter+successes_num))\n\n elif [ \"$http_code\" == \"404\" ];\n then\n echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n warnings_counter=$((warnings_counter+1))\n else\n echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n error_counter=$((error_counter+1))\n fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n if [[ \"${failure_counter}\" -gt 0 ]]; then\n RES=\"FAILURE\"\n elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n RES=\"WARNING\"\n elif [[ \"${success_counter}\" -eq 0 ]]; then\n # when all counters are 0, there are no base images to check\n note=\"Task deprecated-image-check success: No base images to check.\"\n RES=\"SUCCESS\"\n else\n RES=\"SUCCESS\"\n fi\n TEST_OUTPUT=$(make_result_json \\\n -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/e00807ddfa5c59675de2a49103f4321dcd8a9795", "build.appstudio.redhat.com/commit_sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ntnsju", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-push-wk66w", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-child-rexo' into 'multi-component-child-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-child-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/e652c946-2caf-40fa-9711-6b339e40416b/records/85060fed-26aa-4334-893a-de16eaeb3e16", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/e652c946-2caf-40fa-9711-6b339e40416b", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-d94b3291a9266b84e5e7240894580ab4-0f5f8624c7d5830a-01\"}" }, "creationTimestamp": "2026-05-11T11:38:37Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-push-wk66w", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-push-wk66w", "tekton.dev/pipelineRunUID": "e652c946-2caf-40fa-9711-6b339e40416b", "tekton.dev/pipelineTask": "deprecated-base-image-check", "tekton.dev/task": "deprecated-image-check" }, "name": "gl-5a74f07e0be8c137f49744882996b47d-deprecated-base-image-check", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-push-wk66w", "uid": "e652c946-2caf-40fa-9711-6b339e40416b" } ], "resourceVersion": "81254", "uid": "85060fed-26aa-4334-893a-de16eaeb3e16" }, "spec": { "params": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795" }, { "name": "IMAGE_DIGEST", "value": "sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "deprecated-image-check" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:38:49Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:38:49Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-5a74f07e0be8c137f49744881cdaff4306f3abad83318578bfde106b-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, "entryPoint": "deprecated-image-check", "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795\", \"digests\": [\"sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"WARNING\",\"timestamp\":\"2026-05-11T11:38:48+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":0,\"failures\":0,\"warnings\":1}\n" } ], "spanContext": { "traceparent": "00-d94b3291a9266b84e5e7240894580ab4-0f5f8624c7d5830a-01" }, "startTime": "2026-05-11T11:38:37Z", "steps": [ { "container": "step-check-images", "imageID": "quay.io/konflux-ci/konflux-test@sha256:3bba1fe5ad96bd3811f34b367487192683aa9b1ba343da4885dda565b0a7207e", "name": "check-images", "provenance": {}, "terminated": { "containerID": "cri-o://e475e989ed994f33e471d3993e016131e860d7a46d24d7c1692feea668a841ee", "exitCode": 0, "finishedAt": "2026-05-11T11:38:48Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795\\\", \\\"digests\\\": [\\\"sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"WARNING\\\",\\\"timestamp\\\":\\\"2026-05-11T11:38:48+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":1}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:42Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.", "params": [ { "default": "/project/repository/", "description": "Path to directory containing Conftest policies.", "name": "POLICY_DIR", "type": "string" }, { "default": "required_checks", "description": "Namespace for Conftest policy.", "name": "POLICY_NAMESPACE", "type": "string" }, { "default": "", "description": "Digests of base build images.", "name": "BASE_IMAGES_DIGESTS", "type": "string" }, { "description": "Fully qualified image name.", "name": "IMAGE_URL", "type": "string" }, { "description": "Image digest.", "name": "IMAGE_DIGEST", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "POLICY_DIR", "value": "/project/repository/" }, { "name": "POLICY_NAMESPACE", "value": "required_checks" }, { "name": "BASE_IMAGES_DIGESTS" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795" }, { "name": "IMAGE_DIGEST", "value": "sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9", "name": "check-images", "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n while read -r arch arch_sha; do\n SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n # Get base images from SBOM\n cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n if [ $? -ne 0 ]; then\n echo \"Unable to download sbom for arch $arch.\"\n continue\n fi\n\n \u003c \"${SBOM_FILE_PATH}\" jq -r '\n if .bomFormat == \"CycloneDX\" then\n .formulation[]?\n | .components[]?\n | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n | (\n .purl\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n else\n .packages[]\n | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n | (\n $purls | first\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n end\n ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"Detected base images from $arch SBOM:\"\n cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"\"\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n # Get images from the parameter\n for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n do\n echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n mkdir -p ${IMAGE_REPO_PATH}\n echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n if [ \"$http_code\" == \"200\" ];\n then\n echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${failures_num}\" -gt 0 ]]; then\n echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n fi\n failure_counter=$((failure_counter+failures_num))\n\n successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${successes_num}\" -gt 0 ]]; then\n echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n fi\n success_counter=$((success_counter+successes_num))\n\n elif [ \"$http_code\" == \"404\" ];\n then\n echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n warnings_counter=$((warnings_counter+1))\n else\n echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n error_counter=$((error_counter+1))\n fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n if [[ \"${failure_counter}\" -gt 0 ]]; then\n RES=\"FAILURE\"\n elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n RES=\"WARNING\"\n elif [[ \"${success_counter}\" -eq 0 ]]; then\n # when all counters are 0, there are no base images to check\n note=\"Task deprecated-image-check success: No base images to check.\"\n RES=\"SUCCESS\"\n else\n RES=\"SUCCESS\"\n fi\n TEST_OUTPUT=$(make_result_json \\\n -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/4e0083838b526589303c456dd5d62ba0c526c630", "build.appstudio.redhat.com/commit_sha": "4e0083838b526589303c456dd5d62ba0c526c630", "build.appstudio.redhat.com/pull_request_number": "1", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "Merge Request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kdnfcv", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-pull-request-z74zt", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/sha-title": "Konflux update gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/source-branch": "konflux-gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/bab99032-a5c6-423f-b501-e77e798b45b7/records/7da424b3-d832-4068-9b78-949887a032bb", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"4e0083838b526589303c456dd5d62ba0c526c630\",\"eventType\":\"Merge Request\",\"pull_request-id\":1}", "results.tekton.dev/result": "build-e2e-fnyl/results/bab99032-a5c6-423f-b501-e77e798b45b7", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-179a595b9f12d2c2f5d0da65c30a57b5-e85f20197a134956-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-gl-multi-component-child-rexo" }, "creationTimestamp": "2026-05-11T11:33:52Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/event-type": "Merge_Request", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-pull-request-z74zt", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-pull-request-z74zt", "tekton.dev/pipelineRunUID": "bab99032-a5c6-423f-b501-e77e798b45b7", "tekton.dev/pipelineTask": "deprecated-base-image-check", "tekton.dev/task": "deprecated-image-check", "test.appstudio.openshift.io/pr-group-sha": "d1ba98afa7dcbc964b3a645bc57114d858b7dd07a21b636e869256c5c257a2" }, "name": "gl-92d67c6f44026f3890990cfcf3fd93be-deprecated-base-image-check", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-pull-request-z74zt", "uid": "bab99032-a5c6-423f-b501-e77e798b45b7" } ], "resourceVersion": "70598", "uid": "7da424b3-d832-4068-9b78-949887a032bb" }, "spec": { "params": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630" }, { "name": "IMAGE_DIGEST", "value": "sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "deprecated-image-check" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:34:04Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:34:04Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-92d67c6f44026f3890990cfc11a4affb75631c0617d42d852a935ea1-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, "entryPoint": "deprecated-image-check", "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630\", \"digests\": [\"sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"WARNING\",\"timestamp\":\"2026-05-11T11:34:03+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":0,\"failures\":0,\"warnings\":1}\n" } ], "spanContext": { "traceparent": "00-179a595b9f12d2c2f5d0da65c30a57b5-e85f20197a134956-01" }, "startTime": "2026-05-11T11:33:52Z", "steps": [ { "container": "step-check-images", "imageID": "quay.io/konflux-ci/konflux-test@sha256:3bba1fe5ad96bd3811f34b367487192683aa9b1ba343da4885dda565b0a7207e", "name": "check-images", "provenance": {}, "terminated": { "containerID": "cri-o://5d67546a05b0c7352adb12d0de308a7b1aa04ff38589b44897ba4375d81b5322", "exitCode": 0, "finishedAt": "2026-05-11T11:34:03Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630\\\", \\\"digests\\\": [\\\"sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"WARNING\\\",\\\"timestamp\\\":\\\"2026-05-11T11:34:03+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":1}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:33:57Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.", "params": [ { "default": "/project/repository/", "description": "Path to directory containing Conftest policies.", "name": "POLICY_DIR", "type": "string" }, { "default": "required_checks", "description": "Namespace for Conftest policy.", "name": "POLICY_NAMESPACE", "type": "string" }, { "default": "", "description": "Digests of base build images.", "name": "BASE_IMAGES_DIGESTS", "type": "string" }, { "description": "Fully qualified image name.", "name": "IMAGE_URL", "type": "string" }, { "description": "Image digest.", "name": "IMAGE_DIGEST", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "POLICY_DIR", "value": "/project/repository/" }, { "name": "POLICY_NAMESPACE", "value": "required_checks" }, { "name": "BASE_IMAGES_DIGESTS" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630" }, { "name": "IMAGE_DIGEST", "value": "sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9", "name": "check-images", "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n while read -r arch arch_sha; do\n SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n # Get base images from SBOM\n cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n if [ $? -ne 0 ]; then\n echo \"Unable to download sbom for arch $arch.\"\n continue\n fi\n\n \u003c \"${SBOM_FILE_PATH}\" jq -r '\n if .bomFormat == \"CycloneDX\" then\n .formulation[]?\n | .components[]?\n | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n | (\n .purl\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n else\n .packages[]\n | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n | (\n $purls | first\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n end\n ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"Detected base images from $arch SBOM:\"\n cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"\"\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n # Get images from the parameter\n for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n do\n echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n mkdir -p ${IMAGE_REPO_PATH}\n echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n if [ \"$http_code\" == \"200\" ];\n then\n echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${failures_num}\" -gt 0 ]]; then\n echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n fi\n failure_counter=$((failure_counter+failures_num))\n\n successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${successes_num}\" -gt 0 ]]; then\n echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n fi\n success_counter=$((success_counter+successes_num))\n\n elif [ \"$http_code\" == \"404\" ];\n then\n echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n warnings_counter=$((warnings_counter+1))\n else\n echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n error_counter=$((error_counter+1))\n fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n if [[ \"${failure_counter}\" -gt 0 ]]; then\n RES=\"FAILURE\"\n elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n RES=\"WARNING\"\n elif [[ \"${success_counter}\" -eq 0 ]]; then\n # when all counters are 0, there are no base images to check\n note=\"Task deprecated-image-check success: No base images to check.\"\n RES=\"SUCCESS\"\n else\n RES=\"SUCCESS\"\n fi\n TEST_OUTPUT=$(make_result_json \\\n -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/tree/a4ffc1f03a6b1d97283b12282412840055fc92a8", "build.appstudio.redhat.com/commit_sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "build.appstudio.redhat.com/pull_request_number": "1", "build.appstudio.redhat.com/target_branch": "multi-component-parent-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "Merge Request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vbxbvj", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-parent-rexo-on-pull-request-phvwk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-parent-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/commit/a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/source-branch": "konflux-gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090806", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090806", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72/records/23c47bc7-3f40-440b-b936-26a5ace81827", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-parent-twjokv\",\"commit\":\"a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"eventType\":\"Merge Request\",\"pull_request-id\":1}", "results.tekton.dev/result": "build-e2e-fnyl/results/ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-131fd24f9dcfacc403d70387aa8147ad-4fc7bf8db82c7efb-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-gl-multi-component-parent-rexo" }, "creationTimestamp": "2026-05-11T11:33:01Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-parent-rexo", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/event-type": "Merge_Request", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "tekton.dev/pipelineRun": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "tekton.dev/pipelineRunUID": "ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72", "tekton.dev/pipelineTask": "deprecated-base-image-check", "tekton.dev/task": "deprecated-image-check", "test.appstudio.openshift.io/pr-group-sha": "2778624c4a783d65d3c448c05b3262242550994fa145dbeb5c211458cf2137" }, "name": "gl-faac7f96143ff37f9d4607fcb669791b-deprecated-base-image-check", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "uid": "ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72" } ], "resourceVersion": "69484", "uid": "23c47bc7-3f40-440b-b936-26a5ace81827" }, "spec": { "params": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8" }, { "name": "IMAGE_DIGEST", "value": "sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskRef": { "params": [ { "name": "name", "value": "deprecated-image-check" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:33:20Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:33:20Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-faac7f96143ff37f9d4607fc678403734086005746fb86ec1b491128-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, "entryPoint": "deprecated-image-check", "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8\", \"digests\": [\"sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:33:19+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":1,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-131fd24f9dcfacc403d70387aa8147ad-4fc7bf8db82c7efb-01" }, "startTime": "2026-05-11T11:33:01Z", "steps": [ { "container": "step-check-images", "imageID": "quay.io/konflux-ci/konflux-test@sha256:3bba1fe5ad96bd3811f34b367487192683aa9b1ba343da4885dda565b0a7207e", "name": "check-images", "provenance": {}, "terminated": { "containerID": "cri-o://eac81ea663113c782cfd0f0387cc4ce199c3464fa5f9cb214623b6af0307861a", "exitCode": 0, "finishedAt": "2026-05-11T11:33:19Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8\\\", \\\"digests\\\": [\\\"sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:33:19+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":1,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:33:12Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.", "params": [ { "default": "/project/repository/", "description": "Path to directory containing Conftest policies.", "name": "POLICY_DIR", "type": "string" }, { "default": "required_checks", "description": "Namespace for Conftest policy.", "name": "POLICY_NAMESPACE", "type": "string" }, { "default": "", "description": "Digests of base build images.", "name": "BASE_IMAGES_DIGESTS", "type": "string" }, { "description": "Fully qualified image name.", "name": "IMAGE_URL", "type": "string" }, { "description": "Image digest.", "name": "IMAGE_DIGEST", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "POLICY_DIR", "value": "/project/repository/" }, { "name": "POLICY_NAMESPACE", "value": "required_checks" }, { "name": "BASE_IMAGES_DIGESTS" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8" }, { "name": "IMAGE_DIGEST", "value": "sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9", "name": "check-images", "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n while read -r arch arch_sha; do\n SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n # Get base images from SBOM\n cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n if [ $? -ne 0 ]; then\n echo \"Unable to download sbom for arch $arch.\"\n continue\n fi\n\n \u003c \"${SBOM_FILE_PATH}\" jq -r '\n if .bomFormat == \"CycloneDX\" then\n .formulation[]?\n | .components[]?\n | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n | (\n .purl\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n else\n .packages[]\n | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n | (\n $purls | first\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n end\n ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"Detected base images from $arch SBOM:\"\n cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"\"\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n # Get images from the parameter\n for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n do\n echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n mkdir -p ${IMAGE_REPO_PATH}\n echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n if [ \"$http_code\" == \"200\" ];\n then\n echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${failures_num}\" -gt 0 ]]; then\n echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n fi\n failure_counter=$((failure_counter+failures_num))\n\n successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${successes_num}\" -gt 0 ]]; then\n echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n fi\n success_counter=$((success_counter+successes_num))\n\n elif [ \"$http_code\" == \"404\" ];\n then\n echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n warnings_counter=$((warnings_counter+1))\n else\n echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n error_counter=$((error_counter+1))\n fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n if [[ \"${failure_counter}\" -gt 0 ]]; then\n RES=\"FAILURE\"\n elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n RES=\"WARNING\"\n elif [[ \"${success_counter}\" -eq 0 ]]; then\n # when all counters are 0, there are no base images to check\n note=\"Task deprecated-image-check success: No base images to check.\"\n RES=\"SUCCESS\"\n else\n RES=\"SUCCESS\"\n fi\n TEST_OUTPUT=$(make_result_json \\\n -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/tree/db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/commit_sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/target_branch": "multi-component-parent-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bylibv", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-parent-rexo-on-push-jsrmh", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-parent-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-parent-rexo' into 'multi-component-parent-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/commit/db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090806", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090806", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/ec410ceb-11bf-405b-a10b-0e280130c3a8/records/3c5a10c0-5c31-4938-842d-4281efa1af65", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-parent-twjokv\",\"commit\":\"db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/ec410ceb-11bf-405b-a10b-0e280130c3a8", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-52bddfe8e2a8557a597db9d1f8b085c3-02a210374f39e358-01\"}" }, "creationTimestamp": "2026-05-11T11:36:55Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-parent-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-parent-rexo-on-push-jsrmh", "tekton.dev/pipelineRun": "gl-multi-component-parent-rexo-on-push-jsrmh", "tekton.dev/pipelineRunUID": "ec410ceb-11bf-405b-a10b-0e280130c3a8", "tekton.dev/pipelineTask": "prefetch-dependencies", "tekton.dev/task": "prefetch-dependencies-oci-ta-min" }, "name": "gl-multi-0bbc961814f0444858e37db58fc92b8f-prefetch-dependencies", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-parent-rexo-on-push-jsrmh", "uid": "ec410ceb-11bf-405b-a10b-0e280130c3a8" } ], "resourceVersion": "78420", "uid": "3c5a10c0-5c31-4938-842d-4281efa1af65" }, "spec": { "params": [ { "name": "input", "value": "" }, { "name": "enable-package-registry-proxy", "value": "true" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:135c7777e0b3399e176a36d0352959b2abdf621af3993e71d633f75b541d368b" }, { "name": "ociStorage", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85.prefetch" }, { "name": "ociArtifactExpiresAfter", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskRef": { "params": [ { "name": "name", "value": "prefetch-dependencies-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min:0.3@sha256:af12fee3a119b4099d18e19f81cd963a4077dc941da9e28ba82e43f656a65929" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "git-basic-auth", "secret": { "secretName": "pac-gitauth-bylibv" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:37:39Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:37:39Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-0bbc961814f044485842d290d39218d936878787d8539e2295-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "af12fee3a119b4099d18e19f81cd963a4077dc941da9e28ba82e43f656a65929" }, "entryPoint": "prefetch-dependencies-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min" } }, "results": [ { "name": "CACHI2_ARTIFACT", "type": "string", "value": "" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:135c7777e0b3399e176a36d0352959b2abdf621af3993e71d633f75b541d368b" } ], "spanContext": { "traceparent": "00-52bddfe8e2a8557a597db9d1f8b085c3-02a210374f39e358-01" }, "startTime": "2026-05-11T11:36:55Z", "steps": [ { "container": "step-skip-ta", "imageID": "registry.access.redhat.com/ubi9/ubi-minimal@sha256:8d0a8fb39ec907e8ca62cdd24b62a63ca49a30fe465798a360741fde58437a23", "name": "skip-ta", "provenance": {}, "terminated": { "containerID": "cri-o://e1b66cbbfcacd93f2284c3ca4f210cddf2fce17dca12f1a70f0bd1984e32ff1d", "exitCode": 0, "finishedAt": "2026-05-11T11:37:00Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:135c7777e0b3399e176a36d0352959b2abdf621af3993e71d633f75b541d368b\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:37:00Z" }, "terminationReason": "Completed" }, { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://4ffe6e1d08ee46f03737374c482b37e50b540dd13b65c30360c0bd263dcfae5d", "exitCode": 0, "finishedAt": "2026-05-11T11:37:00Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:135c7777e0b3399e176a36d0352959b2abdf621af3993e71d633f75b541d368b\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:37:00Z" }, "terminationReason": "Completed" }, { "container": "step-prefetch-dependencies", "imageID": "quay.io/konflux-ci/hermeto@sha256:4899755ffd1574547102a58469aea916822c7fd7825cbec8e477e1b57668a6d7", "name": "prefetch-dependencies", "provenance": {}, "terminated": { "containerID": "cri-o://323dba9230d3772eca96644327639aaed30fb124a86bf2a5707f57ac1797d506", "exitCode": 0, "finishedAt": "2026-05-11T11:37:38Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:135c7777e0b3399e176a36d0352959b2abdf621af3993e71d633f75b541d368b\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:37:00Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "create-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://eed1606ac9bac20a37737ce281cc104d936a7db2bb0139085263cbd0934dac78", "exitCode": 0, "finishedAt": "2026-05-11T11:37:38Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:135c7777e0b3399e176a36d0352959b2abdf621af3993e71d633f75b541d368b\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:37:38Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Task that prefetches project dependencies for hermetic build.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "default": "service-ca.crt", "description": "The name of the key in the ConfigMap that contains the service CA bundle data. Used to verify TLS connections to in-cluster services such as the package registry proxy.", "name": "SERVICE_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "openshift-service-ca.crt", "description": "The name of the ConfigMap to read service CA bundle data from. Used to verify TLS connections to in-cluster services such as the package registry proxy.", "name": "SERVICE_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n", "name": "config-file-content", "type": "string" }, { "default": "true", "description": "Use the package registry proxy when prefetching dependencies", "name": "enable-package-registry-proxy", "type": "string" }, { "description": "Configures project packages that will have their dependencies prefetched.", "name": "input", "type": "string" }, { "default": "debug", "description": "Set the logging level (debug, info, warn, error, fatal).", "name": "log-level", "type": "string" }, { "default": "strict", "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).", "name": "mode", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.", "name": "sbom-type", "type": "string" } ], "results": [ { "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "computeResources": {}, "env": [ { "name": "INPUT" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:135c7777e0b3399e176a36d0352959b2abdf621af3993e71d633f75b541d368b" } ], "image": "registry.access.redhat.com/ubi9/ubi-minimal:9.7-1777857961@sha256:8d0a8fb39ec907e8ca62cdd24b62a63ca49a30fe465798a360741fde58437a23", "name": "skip-ta", "script": "#!/bin/bash\n\nif [ -z \"${INPUT}\" ]; then\n mkdir -p /var/workdir/source\n mkdir -p /var/workdir/cachi2\n echo \"true\" \u003e/var/workdir/source/.skip-trusted-artifacts\n echo \"true\" \u003e/var/workdir/cachi2/.skip-trusted-artifacts\n echo -n \"${SOURCE_ARTIFACT}\" \u003e\"/tekton/results/SOURCE_ARTIFACT\"\n echo -n \"\" \u003e\"/tekton/results/CACHI2_ARTIFACT\"\nfi\n" }, { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:135c7777e0b3399e176a36d0352959b2abdf621af3993e71d633f75b541d368b=/var/workdir/source" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "use-trusted-artifact" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "debug" }, { "name": "KBC_PD_INPUT" }, { "name": "KBC_PD_SOURCE_DIR", "value": "/var/workdir/source" }, { "name": "KBC_PD_OUTPUT_DIR", "value": "/var/workdir/cachi2/output" }, { "name": "KBC_PD_SBOM_FORMAT", "value": "spdx" }, { "name": "KBC_PD_MODE", "value": "strict" }, { "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT", "value": "/cachi2/output" }, { "name": "KBC_PD_ENV_FILES", "value": "/var/workdir/cachi2/cachi2.env /var/workdir/cachi2/prefetch.env /var/workdir/cachi2/prefetch-env.json" }, { "name": "KBC_PD_GIT_AUTH_DIRECTORY", "value": "/workspace/git-basic-auth" }, { "name": "WORKSPACE_NETRC_PATH" }, { "name": "CONFIG_FILE_CONTENT" }, { "name": "KBC_PD_ENABLE_PACKAGE_REGISTRY_PROXY", "value": "true" } ], "image": "quay.io/konflux-ci/hermeto:0.51.0@sha256:4899755ffd1574547102a58469aea916822c7fd7825cbec8e477e1b57668a6d7", "name": "prefetch-dependencies", "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nSERVICE_CA_BUNDLE_PATH=/mnt/service-ca/ca-bundle.crt\nUPDATE_CA_TRUST=false\n\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n echo \"Using mounted CA bundle: $CA_BUNDLE_PATH\"\n cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n UPDATE_CA_TRUST=true\nfi\n\nif [ -f \"$SERVICE_CA_BUNDLE_PATH\" ]; then\n echo \"Using mounted service CA bundle: $SERVICE_CA_BUNDLE_PATH\"\n cp -vf \"$SERVICE_CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/service-ca.crt\n UPDATE_CA_TRUST=true\nfi\n\nif [ \"$UPDATE_CA_TRUST\" = \"true\" ]; then\n update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n export KBC_PD_RHSM_ORG=/activation-key/org\n export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n echo \"${CONFIG_FILE_CONTENT}\" \u003e/mnt/config/config.yaml\n export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n", "volumeMounts": [ { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/mnt/config", "name": "config" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/service-ca", "name": "service-ca", "readOnly": true } ] }, { "args": [ "create", "--store", "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85.prefetch", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source", "/tekton/results/CACHI2_ARTIFACT=/var/workdir/cachi2" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "create-trusted-artifact" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "emptyDir": {}, "name": "config" }, { "configMap": { "items": [ { "key": "service-ca.crt", "path": "ca-bundle.crt" } ], "name": "openshift-service-ca.crt", "optional": true }, "name": "service-ca" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n", "name": "git-basic-auth", "optional": true }, { "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n", "name": "netrc", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/994d9d99adcc535f4413cd0ee7842e23026140c8", "build.appstudio.redhat.com/commit_sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tkaets", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-push-7lsj7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-child-rexo' into 'multi-component-child-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-child-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/f4dc841d-3db4-469a-861d-7027efc5d0d0/records/7d19e77f-5b93-414a-b817-6524b2ae30f2", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"994d9d99adcc535f4413cd0ee7842e23026140c8\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/f4dc841d-3db4-469a-861d-7027efc5d0d0", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-47663917638f344eb09c5f89895d3ab6-a41e4b95723b6288-01\"}" }, "creationTimestamp": "2026-05-11T11:36:52Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-push-7lsj7", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-push-7lsj7", "tekton.dev/pipelineRunUID": "f4dc841d-3db4-469a-861d-7027efc5d0d0", "tekton.dev/pipelineTask": "prefetch-dependencies", "tekton.dev/task": "prefetch-dependencies-oci-ta-min" }, "name": "gl-multi-22b79c3a9d2908c307c4ddce31c15bf9-prefetch-dependencies", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-push-7lsj7", "uid": "f4dc841d-3db4-469a-861d-7027efc5d0d0" } ], "resourceVersion": "78064", "uid": "7d19e77f-5b93-414a-b817-6524b2ae30f2" }, "spec": { "params": [ { "name": "input", "value": "" }, { "name": "enable-package-registry-proxy", "value": "true" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:9942ac142fa6b260bec2a46ada7502b5aa9d8cf8535c15422c3056ba221d19d6" }, { "name": "ociStorage", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8.prefetch" }, { "name": "ociArtifactExpiresAfter", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "prefetch-dependencies-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min:0.3@sha256:af12fee3a119b4099d18e19f81cd963a4077dc941da9e28ba82e43f656a65929" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "git-basic-auth", "secret": { "secretName": "pac-gitauth-tkaets" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:37:35Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:37:35Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-22b79c3a9d2908c3079d311a1e7ce4967f578d4e9b73b19c79-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "af12fee3a119b4099d18e19f81cd963a4077dc941da9e28ba82e43f656a65929" }, "entryPoint": "prefetch-dependencies-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min" } }, "results": [ { "name": "CACHI2_ARTIFACT", "type": "string", "value": "" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:9942ac142fa6b260bec2a46ada7502b5aa9d8cf8535c15422c3056ba221d19d6" } ], "spanContext": { "traceparent": "00-47663917638f344eb09c5f89895d3ab6-a41e4b95723b6288-01" }, "startTime": "2026-05-11T11:36:52Z", "steps": [ { "container": "step-skip-ta", "imageID": "registry.access.redhat.com/ubi9/ubi-minimal@sha256:8d0a8fb39ec907e8ca62cdd24b62a63ca49a30fe465798a360741fde58437a23", "name": "skip-ta", "provenance": {}, "terminated": { "containerID": "cri-o://3dc050da2a63dda543e2c91437be3217acfce8cf1efca8452faee4ea168b0e3c", "exitCode": 0, "finishedAt": "2026-05-11T11:36:58Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:9942ac142fa6b260bec2a46ada7502b5aa9d8cf8535c15422c3056ba221d19d6\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:36:58Z" }, "terminationReason": "Completed" }, { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://2687d62e75b7b27781ea2e1e15a9297bc5c38f7879919b8d4cfed4a973353efc", "exitCode": 0, "finishedAt": "2026-05-11T11:36:58Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:9942ac142fa6b260bec2a46ada7502b5aa9d8cf8535c15422c3056ba221d19d6\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:36:58Z" }, "terminationReason": "Completed" }, { "container": "step-prefetch-dependencies", "imageID": "quay.io/konflux-ci/hermeto@sha256:4899755ffd1574547102a58469aea916822c7fd7825cbec8e477e1b57668a6d7", "name": "prefetch-dependencies", "provenance": {}, "terminated": { "containerID": "cri-o://14be43cb8dc38efc0a4447c420a0a9d3026a657422caba885b9a5744ccda0c34", "exitCode": 0, "finishedAt": "2026-05-11T11:37:33Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:9942ac142fa6b260bec2a46ada7502b5aa9d8cf8535c15422c3056ba221d19d6\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:36:58Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "create-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://cc5ba2435e7337a89ebc6af62a06a6023c06d62d413870f9abd30117f7fccb1f", "exitCode": 0, "finishedAt": "2026-05-11T11:37:34Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:9942ac142fa6b260bec2a46ada7502b5aa9d8cf8535c15422c3056ba221d19d6\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:37:34Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Task that prefetches project dependencies for hermetic build.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "default": "service-ca.crt", "description": "The name of the key in the ConfigMap that contains the service CA bundle data. Used to verify TLS connections to in-cluster services such as the package registry proxy.", "name": "SERVICE_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "openshift-service-ca.crt", "description": "The name of the ConfigMap to read service CA bundle data from. Used to verify TLS connections to in-cluster services such as the package registry proxy.", "name": "SERVICE_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n", "name": "config-file-content", "type": "string" }, { "default": "true", "description": "Use the package registry proxy when prefetching dependencies", "name": "enable-package-registry-proxy", "type": "string" }, { "description": "Configures project packages that will have their dependencies prefetched.", "name": "input", "type": "string" }, { "default": "debug", "description": "Set the logging level (debug, info, warn, error, fatal).", "name": "log-level", "type": "string" }, { "default": "strict", "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).", "name": "mode", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.", "name": "sbom-type", "type": "string" } ], "results": [ { "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "computeResources": {}, "env": [ { "name": "INPUT" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:9942ac142fa6b260bec2a46ada7502b5aa9d8cf8535c15422c3056ba221d19d6" } ], "image": "registry.access.redhat.com/ubi9/ubi-minimal:9.7-1777857961@sha256:8d0a8fb39ec907e8ca62cdd24b62a63ca49a30fe465798a360741fde58437a23", "name": "skip-ta", "script": "#!/bin/bash\n\nif [ -z \"${INPUT}\" ]; then\n mkdir -p /var/workdir/source\n mkdir -p /var/workdir/cachi2\n echo \"true\" \u003e/var/workdir/source/.skip-trusted-artifacts\n echo \"true\" \u003e/var/workdir/cachi2/.skip-trusted-artifacts\n echo -n \"${SOURCE_ARTIFACT}\" \u003e\"/tekton/results/SOURCE_ARTIFACT\"\n echo -n \"\" \u003e\"/tekton/results/CACHI2_ARTIFACT\"\nfi\n" }, { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:9942ac142fa6b260bec2a46ada7502b5aa9d8cf8535c15422c3056ba221d19d6=/var/workdir/source" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "use-trusted-artifact" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "debug" }, { "name": "KBC_PD_INPUT" }, { "name": "KBC_PD_SOURCE_DIR", "value": "/var/workdir/source" }, { "name": "KBC_PD_OUTPUT_DIR", "value": "/var/workdir/cachi2/output" }, { "name": "KBC_PD_SBOM_FORMAT", "value": "spdx" }, { "name": "KBC_PD_MODE", "value": "strict" }, { "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT", "value": "/cachi2/output" }, { "name": "KBC_PD_ENV_FILES", "value": "/var/workdir/cachi2/cachi2.env /var/workdir/cachi2/prefetch.env /var/workdir/cachi2/prefetch-env.json" }, { "name": "KBC_PD_GIT_AUTH_DIRECTORY", "value": "/workspace/git-basic-auth" }, { "name": "WORKSPACE_NETRC_PATH" }, { "name": "CONFIG_FILE_CONTENT" }, { "name": "KBC_PD_ENABLE_PACKAGE_REGISTRY_PROXY", "value": "true" } ], "image": "quay.io/konflux-ci/hermeto:0.51.0@sha256:4899755ffd1574547102a58469aea916822c7fd7825cbec8e477e1b57668a6d7", "name": "prefetch-dependencies", "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nSERVICE_CA_BUNDLE_PATH=/mnt/service-ca/ca-bundle.crt\nUPDATE_CA_TRUST=false\n\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n echo \"Using mounted CA bundle: $CA_BUNDLE_PATH\"\n cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n UPDATE_CA_TRUST=true\nfi\n\nif [ -f \"$SERVICE_CA_BUNDLE_PATH\" ]; then\n echo \"Using mounted service CA bundle: $SERVICE_CA_BUNDLE_PATH\"\n cp -vf \"$SERVICE_CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/service-ca.crt\n UPDATE_CA_TRUST=true\nfi\n\nif [ \"$UPDATE_CA_TRUST\" = \"true\" ]; then\n update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n export KBC_PD_RHSM_ORG=/activation-key/org\n export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n echo \"${CONFIG_FILE_CONTENT}\" \u003e/mnt/config/config.yaml\n export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n", "volumeMounts": [ { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/mnt/config", "name": "config" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/service-ca", "name": "service-ca", "readOnly": true } ] }, { "args": [ "create", "--store", "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8.prefetch", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source", "/tekton/results/CACHI2_ARTIFACT=/var/workdir/cachi2" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "create-trusted-artifact" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "emptyDir": {}, "name": "config" }, { "configMap": { "items": [ { "key": "service-ca.crt", "path": "ca-bundle.crt" } ], "name": "openshift-service-ca.crt", "optional": true }, "name": "service-ca" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n", "name": "git-basic-auth", "optional": true }, { "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n", "name": "netrc", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/e00807ddfa5c59675de2a49103f4321dcd8a9795", "build.appstudio.redhat.com/commit_sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ntnsju", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-push-wk66w", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-child-rexo' into 'multi-component-child-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-child-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/e652c946-2caf-40fa-9711-6b339e40416b/records/907e489b-e8f2-494c-a132-68bb0d3469f5", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/e652c946-2caf-40fa-9711-6b339e40416b", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-d94b3291a9266b84e5e7240894580ab4-28a6a72dd11c7372-01\"}" }, "creationTimestamp": "2026-05-11T11:35:44Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-push-wk66w", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-push-wk66w", "tekton.dev/pipelineRunUID": "e652c946-2caf-40fa-9711-6b339e40416b", "tekton.dev/pipelineTask": "prefetch-dependencies", "tekton.dev/task": "prefetch-dependencies-oci-ta-min" }, "name": "gl-multi-5a74f07e0be8c137f49744882996b47d-prefetch-dependencies", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-push-wk66w", "uid": "e652c946-2caf-40fa-9711-6b339e40416b" } ], "resourceVersion": "75680", "uid": "907e489b-e8f2-494c-a132-68bb0d3469f5" }, "spec": { "params": [ { "name": "input", "value": "" }, { "name": "enable-package-registry-proxy", "value": "true" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:a4f328ee1cddfdfbb1ae4fed7ed47ecb552416010c79ba24c77f0145475ac55d" }, { "name": "ociStorage", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795.prefetch" }, { "name": "ociArtifactExpiresAfter", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "prefetch-dependencies-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min:0.3@sha256:af12fee3a119b4099d18e19f81cd963a4077dc941da9e28ba82e43f656a65929" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "git-basic-auth", "secret": { "secretName": "pac-gitauth-ntnsju" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:36:28Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:36:28Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-5a74f07e0be8c137f4d2d0cfd8e686bdfc799d2fb9e424907b-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "af12fee3a119b4099d18e19f81cd963a4077dc941da9e28ba82e43f656a65929" }, "entryPoint": "prefetch-dependencies-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min" } }, "results": [ { "name": "CACHI2_ARTIFACT", "type": "string", "value": "" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:a4f328ee1cddfdfbb1ae4fed7ed47ecb552416010c79ba24c77f0145475ac55d" } ], "spanContext": { "traceparent": "00-d94b3291a9266b84e5e7240894580ab4-28a6a72dd11c7372-01" }, "startTime": "2026-05-11T11:35:44Z", "steps": [ { "container": "step-skip-ta", "imageID": "registry.access.redhat.com/ubi9/ubi-minimal@sha256:8d0a8fb39ec907e8ca62cdd24b62a63ca49a30fe465798a360741fde58437a23", "name": "skip-ta", "provenance": {}, "terminated": { "containerID": "cri-o://110a9f67beb41e458af17134621faceff883fceee15832380f024912cdd9f75c", "exitCode": 0, "finishedAt": "2026-05-11T11:35:49Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:a4f328ee1cddfdfbb1ae4fed7ed47ecb552416010c79ba24c77f0145475ac55d\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:35:49Z" }, "terminationReason": "Completed" }, { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://b513caeebc6fc504c3ed036d84877b4dcbcd86589a6327abd994516690674384", "exitCode": 0, "finishedAt": "2026-05-11T11:35:49Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:a4f328ee1cddfdfbb1ae4fed7ed47ecb552416010c79ba24c77f0145475ac55d\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:35:49Z" }, "terminationReason": "Completed" }, { "container": "step-prefetch-dependencies", "imageID": "quay.io/konflux-ci/hermeto@sha256:4899755ffd1574547102a58469aea916822c7fd7825cbec8e477e1b57668a6d7", "name": "prefetch-dependencies", "provenance": {}, "terminated": { "containerID": "cri-o://88e7d23d372eb3a763eddc39be583320e5bb5959f8e3bf267363b3aef8ef30d9", "exitCode": 0, "finishedAt": "2026-05-11T11:36:27Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:a4f328ee1cddfdfbb1ae4fed7ed47ecb552416010c79ba24c77f0145475ac55d\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:35:49Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "create-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://1129cb0681fcdc39163f85d54b379ec5672d284c423732f039db0dceed562c57", "exitCode": 0, "finishedAt": "2026-05-11T11:36:27Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:a4f328ee1cddfdfbb1ae4fed7ed47ecb552416010c79ba24c77f0145475ac55d\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:36:27Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Task that prefetches project dependencies for hermetic build.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "default": "service-ca.crt", "description": "The name of the key in the ConfigMap that contains the service CA bundle data. Used to verify TLS connections to in-cluster services such as the package registry proxy.", "name": "SERVICE_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "openshift-service-ca.crt", "description": "The name of the ConfigMap to read service CA bundle data from. Used to verify TLS connections to in-cluster services such as the package registry proxy.", "name": "SERVICE_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n", "name": "config-file-content", "type": "string" }, { "default": "true", "description": "Use the package registry proxy when prefetching dependencies", "name": "enable-package-registry-proxy", "type": "string" }, { "description": "Configures project packages that will have their dependencies prefetched.", "name": "input", "type": "string" }, { "default": "debug", "description": "Set the logging level (debug, info, warn, error, fatal).", "name": "log-level", "type": "string" }, { "default": "strict", "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).", "name": "mode", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.", "name": "sbom-type", "type": "string" } ], "results": [ { "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "computeResources": {}, "env": [ { "name": "INPUT" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:a4f328ee1cddfdfbb1ae4fed7ed47ecb552416010c79ba24c77f0145475ac55d" } ], "image": "registry.access.redhat.com/ubi9/ubi-minimal:9.7-1777857961@sha256:8d0a8fb39ec907e8ca62cdd24b62a63ca49a30fe465798a360741fde58437a23", "name": "skip-ta", "script": "#!/bin/bash\n\nif [ -z \"${INPUT}\" ]; then\n mkdir -p /var/workdir/source\n mkdir -p /var/workdir/cachi2\n echo \"true\" \u003e/var/workdir/source/.skip-trusted-artifacts\n echo \"true\" \u003e/var/workdir/cachi2/.skip-trusted-artifacts\n echo -n \"${SOURCE_ARTIFACT}\" \u003e\"/tekton/results/SOURCE_ARTIFACT\"\n echo -n \"\" \u003e\"/tekton/results/CACHI2_ARTIFACT\"\nfi\n" }, { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:a4f328ee1cddfdfbb1ae4fed7ed47ecb552416010c79ba24c77f0145475ac55d=/var/workdir/source" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "use-trusted-artifact" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "debug" }, { "name": "KBC_PD_INPUT" }, { "name": "KBC_PD_SOURCE_DIR", "value": "/var/workdir/source" }, { "name": "KBC_PD_OUTPUT_DIR", "value": "/var/workdir/cachi2/output" }, { "name": "KBC_PD_SBOM_FORMAT", "value": "spdx" }, { "name": "KBC_PD_MODE", "value": "strict" }, { "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT", "value": "/cachi2/output" }, { "name": "KBC_PD_ENV_FILES", "value": "/var/workdir/cachi2/cachi2.env /var/workdir/cachi2/prefetch.env /var/workdir/cachi2/prefetch-env.json" }, { "name": "KBC_PD_GIT_AUTH_DIRECTORY", "value": "/workspace/git-basic-auth" }, { "name": "WORKSPACE_NETRC_PATH" }, { "name": "CONFIG_FILE_CONTENT" }, { "name": "KBC_PD_ENABLE_PACKAGE_REGISTRY_PROXY", "value": "true" } ], "image": "quay.io/konflux-ci/hermeto:0.51.0@sha256:4899755ffd1574547102a58469aea916822c7fd7825cbec8e477e1b57668a6d7", "name": "prefetch-dependencies", "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nSERVICE_CA_BUNDLE_PATH=/mnt/service-ca/ca-bundle.crt\nUPDATE_CA_TRUST=false\n\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n echo \"Using mounted CA bundle: $CA_BUNDLE_PATH\"\n cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n UPDATE_CA_TRUST=true\nfi\n\nif [ -f \"$SERVICE_CA_BUNDLE_PATH\" ]; then\n echo \"Using mounted service CA bundle: $SERVICE_CA_BUNDLE_PATH\"\n cp -vf \"$SERVICE_CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/service-ca.crt\n UPDATE_CA_TRUST=true\nfi\n\nif [ \"$UPDATE_CA_TRUST\" = \"true\" ]; then\n update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n export KBC_PD_RHSM_ORG=/activation-key/org\n export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n echo \"${CONFIG_FILE_CONTENT}\" \u003e/mnt/config/config.yaml\n export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n", "volumeMounts": [ { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/mnt/config", "name": "config" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/service-ca", "name": "service-ca", "readOnly": true } ] }, { "args": [ "create", "--store", "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795.prefetch", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source", "/tekton/results/CACHI2_ARTIFACT=/var/workdir/cachi2" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "create-trusted-artifact" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "emptyDir": {}, "name": "config" }, { "configMap": { "items": [ { "key": "service-ca.crt", "path": "ca-bundle.crt" } ], "name": "openshift-service-ca.crt", "optional": true }, "name": "service-ca" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n", "name": "git-basic-auth", "optional": true }, { "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n", "name": "netrc", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/4e0083838b526589303c456dd5d62ba0c526c630", "build.appstudio.redhat.com/commit_sha": "4e0083838b526589303c456dd5d62ba0c526c630", "build.appstudio.redhat.com/pull_request_number": "1", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "Merge Request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kdnfcv", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-pull-request-z74zt", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/sha-title": "Konflux update gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/source-branch": "konflux-gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/bab99032-a5c6-423f-b501-e77e798b45b7/records/e8c21f71-32dd-444e-b6b0-4edcad6047c7", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"4e0083838b526589303c456dd5d62ba0c526c630\",\"eventType\":\"Merge Request\",\"pull_request-id\":1}", "results.tekton.dev/result": "build-e2e-fnyl/results/bab99032-a5c6-423f-b501-e77e798b45b7", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-179a595b9f12d2c2f5d0da65c30a57b5-7e574c333d6bda1b-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-gl-multi-component-child-rexo" }, "creationTimestamp": "2026-05-11T11:28:16Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/event-type": "Merge_Request", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-pull-request-z74zt", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-pull-request-z74zt", "tekton.dev/pipelineRunUID": "bab99032-a5c6-423f-b501-e77e798b45b7", "tekton.dev/pipelineTask": "prefetch-dependencies", "tekton.dev/task": "prefetch-dependencies-oci-ta-min", "test.appstudio.openshift.io/pr-group-sha": "d1ba98afa7dcbc964b3a645bc57114d858b7dd07a21b636e869256c5c257a2" }, "name": "gl-multi-92d67c6f44026f3890990cfcf3fd93be-prefetch-dependencies", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-pull-request-z74zt", "uid": "bab99032-a5c6-423f-b501-e77e798b45b7" } ], "resourceVersion": "61701", "uid": "e8c21f71-32dd-444e-b6b0-4edcad6047c7" }, "spec": { "params": [ { "name": "input", "value": "" }, { "name": "enable-package-registry-proxy", "value": "true" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:0bc701c77506c841a578551addc95b798cfdd98f949c79b38864032f321990fb" }, { "name": "ociStorage", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630.prefetch" }, { "name": "ociArtifactExpiresAfter", "value": "6h" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "prefetch-dependencies-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min:0.3@sha256:af12fee3a119b4099d18e19f81cd963a4077dc941da9e28ba82e43f656a65929" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "git-basic-auth", "secret": { "secretName": "pac-gitauth-kdnfcv" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:28:59Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:28:59Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-92d67c6f44026f389032f2de723b63a948ee9c2908876229c6-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "af12fee3a119b4099d18e19f81cd963a4077dc941da9e28ba82e43f656a65929" }, "entryPoint": "prefetch-dependencies-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min" } }, "results": [ { "name": "CACHI2_ARTIFACT", "type": "string", "value": "" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:0bc701c77506c841a578551addc95b798cfdd98f949c79b38864032f321990fb" } ], "spanContext": { "traceparent": "00-179a595b9f12d2c2f5d0da65c30a57b5-7e574c333d6bda1b-01" }, "startTime": "2026-05-11T11:28:16Z", "steps": [ { "container": "step-skip-ta", "imageID": "registry.access.redhat.com/ubi9/ubi-minimal@sha256:8d0a8fb39ec907e8ca62cdd24b62a63ca49a30fe465798a360741fde58437a23", "name": "skip-ta", "provenance": {}, "terminated": { "containerID": "cri-o://c0aab171b58680dd8d29f93239ed56620287ac501726bbc5f70e18e5fbe6beb3", "exitCode": 0, "finishedAt": "2026-05-11T11:28:22Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:0bc701c77506c841a578551addc95b798cfdd98f949c79b38864032f321990fb\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:22Z" }, "terminationReason": "Completed" }, { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://ac4c348d983707aa7f4a1b473cdf53ca65080bcc8acc3f0d25d77dbff379dc71", "exitCode": 0, "finishedAt": "2026-05-11T11:28:22Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:0bc701c77506c841a578551addc95b798cfdd98f949c79b38864032f321990fb\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:22Z" }, "terminationReason": "Completed" }, { "container": "step-prefetch-dependencies", "imageID": "quay.io/konflux-ci/hermeto@sha256:4899755ffd1574547102a58469aea916822c7fd7825cbec8e477e1b57668a6d7", "name": "prefetch-dependencies", "provenance": {}, "terminated": { "containerID": "cri-o://ba4ffc20dcdb6c24f19002405f44eb779b7387e158f0a3e0ac1386cccbfd0be8", "exitCode": 0, "finishedAt": "2026-05-11T11:28:58Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:0bc701c77506c841a578551addc95b798cfdd98f949c79b38864032f321990fb\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:22Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "create-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://ece8306024cc81c1df23654d4aafacdcc5a2b16bcdc3c9e0a2d8611d616675f7", "exitCode": 0, "finishedAt": "2026-05-11T11:28:58Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:0bc701c77506c841a578551addc95b798cfdd98f949c79b38864032f321990fb\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:58Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Task that prefetches project dependencies for hermetic build.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "default": "service-ca.crt", "description": "The name of the key in the ConfigMap that contains the service CA bundle data. Used to verify TLS connections to in-cluster services such as the package registry proxy.", "name": "SERVICE_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "openshift-service-ca.crt", "description": "The name of the ConfigMap to read service CA bundle data from. Used to verify TLS connections to in-cluster services such as the package registry proxy.", "name": "SERVICE_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n", "name": "config-file-content", "type": "string" }, { "default": "true", "description": "Use the package registry proxy when prefetching dependencies", "name": "enable-package-registry-proxy", "type": "string" }, { "description": "Configures project packages that will have their dependencies prefetched.", "name": "input", "type": "string" }, { "default": "debug", "description": "Set the logging level (debug, info, warn, error, fatal).", "name": "log-level", "type": "string" }, { "default": "strict", "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).", "name": "mode", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.", "name": "sbom-type", "type": "string" } ], "results": [ { "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "computeResources": {}, "env": [ { "name": "INPUT" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:0bc701c77506c841a578551addc95b798cfdd98f949c79b38864032f321990fb" } ], "image": "registry.access.redhat.com/ubi9/ubi-minimal:9.7-1777857961@sha256:8d0a8fb39ec907e8ca62cdd24b62a63ca49a30fe465798a360741fde58437a23", "name": "skip-ta", "script": "#!/bin/bash\n\nif [ -z \"${INPUT}\" ]; then\n mkdir -p /var/workdir/source\n mkdir -p /var/workdir/cachi2\n echo \"true\" \u003e/var/workdir/source/.skip-trusted-artifacts\n echo \"true\" \u003e/var/workdir/cachi2/.skip-trusted-artifacts\n echo -n \"${SOURCE_ARTIFACT}\" \u003e\"/tekton/results/SOURCE_ARTIFACT\"\n echo -n \"\" \u003e\"/tekton/results/CACHI2_ARTIFACT\"\nfi\n" }, { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:0bc701c77506c841a578551addc95b798cfdd98f949c79b38864032f321990fb=/var/workdir/source" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "use-trusted-artifact" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "debug" }, { "name": "KBC_PD_INPUT" }, { "name": "KBC_PD_SOURCE_DIR", "value": "/var/workdir/source" }, { "name": "KBC_PD_OUTPUT_DIR", "value": "/var/workdir/cachi2/output" }, { "name": "KBC_PD_SBOM_FORMAT", "value": "spdx" }, { "name": "KBC_PD_MODE", "value": "strict" }, { "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT", "value": "/cachi2/output" }, { "name": "KBC_PD_ENV_FILES", "value": "/var/workdir/cachi2/cachi2.env /var/workdir/cachi2/prefetch.env /var/workdir/cachi2/prefetch-env.json" }, { "name": "KBC_PD_GIT_AUTH_DIRECTORY", "value": "/workspace/git-basic-auth" }, { "name": "WORKSPACE_NETRC_PATH" }, { "name": "CONFIG_FILE_CONTENT" }, { "name": "KBC_PD_ENABLE_PACKAGE_REGISTRY_PROXY", "value": "true" } ], "image": "quay.io/konflux-ci/hermeto:0.51.0@sha256:4899755ffd1574547102a58469aea916822c7fd7825cbec8e477e1b57668a6d7", "name": "prefetch-dependencies", "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nSERVICE_CA_BUNDLE_PATH=/mnt/service-ca/ca-bundle.crt\nUPDATE_CA_TRUST=false\n\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n echo \"Using mounted CA bundle: $CA_BUNDLE_PATH\"\n cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n UPDATE_CA_TRUST=true\nfi\n\nif [ -f \"$SERVICE_CA_BUNDLE_PATH\" ]; then\n echo \"Using mounted service CA bundle: $SERVICE_CA_BUNDLE_PATH\"\n cp -vf \"$SERVICE_CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/service-ca.crt\n UPDATE_CA_TRUST=true\nfi\n\nif [ \"$UPDATE_CA_TRUST\" = \"true\" ]; then\n update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n export KBC_PD_RHSM_ORG=/activation-key/org\n export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n echo \"${CONFIG_FILE_CONTENT}\" \u003e/mnt/config/config.yaml\n export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n", "volumeMounts": [ { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/mnt/config", "name": "config" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/service-ca", "name": "service-ca", "readOnly": true } ] }, { "args": [ "create", "--store", "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630.prefetch", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source", "/tekton/results/CACHI2_ARTIFACT=/var/workdir/cachi2" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "6h" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "create-trusted-artifact" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "emptyDir": {}, "name": "config" }, { "configMap": { "items": [ { "key": "service-ca.crt", "path": "ca-bundle.crt" } ], "name": "openshift-service-ca.crt", "optional": true }, "name": "service-ca" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n", "name": "git-basic-auth", "optional": true }, { "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n", "name": "netrc", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/tree/db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/commit_sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/target_branch": "multi-component-parent-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bylibv", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-parent-rexo-on-push-jsrmh", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-parent-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-parent-rexo' into 'multi-component-parent-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/commit/db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090806", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090806", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/ec410ceb-11bf-405b-a10b-0e280130c3a8/records/0942a922-c4a1-4df1-8273-6d8517a9e241", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-parent-twjokv\",\"commit\":\"db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/ec410ceb-11bf-405b-a10b-0e280130c3a8", "results.tekton.dev/stored": "true", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-52bddfe8e2a8557a597db9d1f8b085c3-2d7dce150b93d5b0-01\"}" }, "creationTimestamp": "2026-05-11T11:39:58Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-parent-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-parent-rexo-on-push-jsrmh", "tekton.dev/pipelineRun": "gl-multi-component-parent-rexo-on-push-jsrmh", "tekton.dev/pipelineRunUID": "ec410ceb-11bf-405b-a10b-0e280130c3a8", "tekton.dev/pipelineTask": "rpms-signature-scan", "tekton.dev/task": "rpms-signature-scan" }, "name": "gl-multi-co0bbc961814f0444858e37db58fc92b8f-rpms-signature-scan", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-parent-rexo-on-push-jsrmh", "uid": "ec410ceb-11bf-405b-a10b-0e280130c3a8" } ], "resourceVersion": "84013", "uid": "0942a922-c4a1-4df1-8273-6d8517a9e241" }, "spec": { "params": [ { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85" }, { "name": "image-digest", "value": "sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskRef": { "params": [ { "name": "name", "value": "rpms-signature-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:cfdb76c67f27bc498132431f5a24fbc17dac1981d6f6e3da5cf5964ac5abdd20" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:40:13Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:40:13Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-co0bbc961814f04448ac418bb80e5c96ed366f8111eddae6bd-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "cfdb76c67f27bc498132431f5a24fbc17dac1981d6f6e3da5cf5964ac5abdd20" }, "entryPoint": "rpms-signature-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85\", \"digests\": [\"sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\"]}}\n" }, { "name": "RPMS_DATA", "type": "string", "value": "{\"keys\": {\"199e2f91fd431d51\": 106, \"unsigned\": 0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:40:12+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-52bddfe8e2a8557a597db9d1f8b085c3-2d7dce150b93d5b0-01" }, "startTime": "2026-05-11T11:39:59Z", "steps": [ { "container": "step-rpms-signature-scan", "imageID": "quay.io/konflux-ci/tools@sha256:4bb1feaad4cb4735f8a5387e32691dfc1fe6097d28d56c23895866f88b211e28", "name": "rpms-signature-scan", "provenance": {}, "terminated": { "containerID": "cri-o://5588f29208a694da616c543396b648453d41e9052837841f77d44633215e53bb", "exitCode": 0, "finishedAt": "2026-05-11T11:40:11Z", "reason": "Completed", "startedAt": "2026-05-11T11:40:04Z" }, "terminationReason": "Completed" }, { "container": "step-output-results", "imageID": "quay.io/konflux-ci/konflux-test@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e", "name": "output-results", "provenance": {}, "terminated": { "containerID": "cri-o://7d8f878f83cf7523b9413b9dac866ab468e4d4be7f10d80c700fb6ceb4debfdb", "exitCode": 0, "finishedAt": "2026-05-11T11:40:13Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85\\\", \\\"digests\\\": [\\\"sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 106, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:40:12+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:40:12Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans RPMs in an image and provide information about RPMs signatures.", "params": [ { "description": "Image URL", "name": "image-url", "type": "string" }, { "description": "Image digest to scan", "name": "image-digest", "type": "string" }, { "default": "/tmp", "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n", "name": "workdir", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Information about signed and unsigned RPMs", "name": "RPMS_DATA", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "200m", "memory": "256Mi" }, "requests": { "cpu": "200m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85" }, { "name": "IMAGE_DIGEST", "value": "sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea" }, { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/tools@sha256:b78a949c4a986724ae8e768ca315fc35bae5e0553de5cd2edd468d6a7d4b7e0f", "name": "rpms-signature-scan", "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n --image-url \"${IMAGE_URL}\" \\\n --image-digest \"${IMAGE_DIGEST}\" \\\n --workdir \"${WORKDIR}\" \\\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "50m", "memory": "32Mi" }, "requests": { "cpu": "50m", "memory": "32Mi" } }, "env": [ { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.53@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e", "name": "output-results", "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" } ] } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/4e0083838b526589303c456dd5d62ba0c526c630", "build.appstudio.redhat.com/commit_sha": "4e0083838b526589303c456dd5d62ba0c526c630", "build.appstudio.redhat.com/pull_request_number": "1", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "Merge Request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kdnfcv", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-pull-request-z74zt", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/sha-title": "Konflux update gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/source-branch": "konflux-gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/bab99032-a5c6-423f-b501-e77e798b45b7/records/9edc2539-330e-4b91-a355-ee13062d0db3", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"4e0083838b526589303c456dd5d62ba0c526c630\",\"eventType\":\"Merge Request\",\"pull_request-id\":1}", "results.tekton.dev/result": "build-e2e-fnyl/results/bab99032-a5c6-423f-b501-e77e798b45b7", "results.tekton.dev/stored": "true", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-179a595b9f12d2c2f5d0da65c30a57b5-6975b8b46ab5cd41-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-gl-multi-component-child-rexo" }, "creationTimestamp": "2026-05-11T11:33:52Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/event-type": "Merge_Request", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-pull-request-z74zt", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-pull-request-z74zt", "tekton.dev/pipelineRunUID": "bab99032-a5c6-423f-b501-e77e798b45b7", "tekton.dev/pipelineTask": "rpms-signature-scan", "test.appstudio.openshift.io/pr-group-sha": "d1ba98afa7dcbc964b3a645bc57114d858b7dd07a21b636e869256c5c257a2" }, "name": "gl-multi-co92d67c6f44026f3890990cfcf3fd93be-rpms-signature-scan", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-pull-request-z74zt", "uid": "bab99032-a5c6-423f-b501-e77e798b45b7" } ], "resourceVersion": "70654", "uid": "9edc2539-330e-4b91-a355-ee13062d0db3" }, "spec": { "params": [ { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630" }, { "name": "image-digest", "value": "sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "rpms-signature-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:cfdb76c67f27bc498132431f5a24fbc17dac1981d6f6e3da5cf5964ac5abdd20" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:34:07Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:34:07Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-co92d67c6f44026f38a77772c9aa3e011563884f8f99f804f8-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "cfdb76c67f27bc498132431f5a24fbc17dac1981d6f6e3da5cf5964ac5abdd20" }, "entryPoint": "rpms-signature-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630\", \"digests\": [\"sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\"]}}\n" }, { "name": "RPMS_DATA", "type": "string", "value": "{\"keys\": {\"199e2f91fd431d51\": 102, \"unsigned\": 0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:34:05+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-179a595b9f12d2c2f5d0da65c30a57b5-6975b8b46ab5cd41-01" }, "startTime": "2026-05-11T11:33:52Z", "steps": [ { "container": "step-rpms-signature-scan", "imageID": "quay.io/konflux-ci/tools@sha256:4bb1feaad4cb4735f8a5387e32691dfc1fe6097d28d56c23895866f88b211e28", "name": "rpms-signature-scan", "provenance": {}, "terminated": { "containerID": "cri-o://c6034898d2f2cbce11f492406b6e68ca025043a1e267c4aff0afe4222f3feaa7", "exitCode": 0, "finishedAt": "2026-05-11T11:34:05Z", "reason": "Completed", "startedAt": "2026-05-11T11:33:57Z" }, "terminationReason": "Completed" }, { "container": "step-output-results", "imageID": "quay.io/konflux-ci/konflux-test@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e", "name": "output-results", "provenance": {}, "terminated": { "containerID": "cri-o://b1b1999c6915749041ac89d9662bffe4683cdb31ee91f8e2e6faa750148dd3ad", "exitCode": 0, "finishedAt": "2026-05-11T11:34:05Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630\\\", \\\"digests\\\": [\\\"sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 102, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:34:05+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:34:05Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans RPMs in an image and provide information about RPMs signatures.", "params": [ { "description": "Image URL", "name": "image-url", "type": "string" }, { "description": "Image digest to scan", "name": "image-digest", "type": "string" }, { "default": "/tmp", "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n", "name": "workdir", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Information about signed and unsigned RPMs", "name": "RPMS_DATA", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "200m", "memory": "256Mi" }, "requests": { "cpu": "200m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630" }, { "name": "IMAGE_DIGEST", "value": "sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a" }, { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/tools@sha256:b78a949c4a986724ae8e768ca315fc35bae5e0553de5cd2edd468d6a7d4b7e0f", "name": "rpms-signature-scan", "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n --image-url \"${IMAGE_URL}\" \\\n --image-digest \"${IMAGE_DIGEST}\" \\\n --workdir \"${WORKDIR}\" \\\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "50m", "memory": "32Mi" }, "requests": { "cpu": "50m", "memory": "32Mi" } }, "env": [ { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.53@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e", "name": "output-results", "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" } ] } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/tree/a4ffc1f03a6b1d97283b12282412840055fc92a8", "build.appstudio.redhat.com/commit_sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "build.appstudio.redhat.com/pull_request_number": "1", "build.appstudio.redhat.com/target_branch": "multi-component-parent-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "Merge Request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vbxbvj", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-parent-rexo-on-pull-request-phvwk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-parent-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/commit/a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/source-branch": "konflux-gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090806", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090806", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72/records/a69f1b07-2592-4543-b720-6fcad0659037", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-parent-twjokv\",\"commit\":\"a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"eventType\":\"Merge Request\",\"pull_request-id\":1}", "results.tekton.dev/result": "build-e2e-fnyl/results/ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72", "results.tekton.dev/stored": "true", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-131fd24f9dcfacc403d70387aa8147ad-784df1e6aa9b3562-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-gl-multi-component-parent-rexo" }, "creationTimestamp": "2026-05-11T11:33:01Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-parent-rexo", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/event-type": "Merge_Request", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "tekton.dev/pipelineRun": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "tekton.dev/pipelineRunUID": "ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72", "tekton.dev/pipelineTask": "rpms-signature-scan", "tekton.dev/task": "rpms-signature-scan", "test.appstudio.openshift.io/pr-group-sha": "2778624c4a783d65d3c448c05b3262242550994fa145dbeb5c211458cf2137" }, "name": "gl-multi-cofaac7f96143ff37f9d4607fcb669791b-rpms-signature-scan", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "uid": "ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72" } ], "resourceVersion": "69300", "uid": "a69f1b07-2592-4543-b720-6fcad0659037" }, "spec": { "params": [ { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8" }, { "name": "image-digest", "value": "sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskRef": { "params": [ { "name": "name", "value": "rpms-signature-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:cfdb76c67f27bc498132431f5a24fbc17dac1981d6f6e3da5cf5964ac5abdd20" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:33:14Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:33:14Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-cofaac7f96143ff37f1d1b3e6c7dea143c4fe621103ce94543-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "cfdb76c67f27bc498132431f5a24fbc17dac1981d6f6e3da5cf5964ac5abdd20" }, "entryPoint": "rpms-signature-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8\", \"digests\": [\"sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\"]}}\n" }, { "name": "RPMS_DATA", "type": "string", "value": "{\"keys\": {\"199e2f91fd431d51\": 106, \"unsigned\": 0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:33:14+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-131fd24f9dcfacc403d70387aa8147ad-784df1e6aa9b3562-01" }, "startTime": "2026-05-11T11:33:01Z", "steps": [ { "container": "step-rpms-signature-scan", "imageID": "quay.io/konflux-ci/tools@sha256:4bb1feaad4cb4735f8a5387e32691dfc1fe6097d28d56c23895866f88b211e28", "name": "rpms-signature-scan", "provenance": {}, "terminated": { "containerID": "cri-o://814f39d01ed419f39fd0ffb3d5631c57d0f022a559d699f13636d3a92497cfb9", "exitCode": 0, "finishedAt": "2026-05-11T11:33:13Z", "reason": "Completed", "startedAt": "2026-05-11T11:33:06Z" }, "terminationReason": "Completed" }, { "container": "step-output-results", "imageID": "quay.io/konflux-ci/konflux-test@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e", "name": "output-results", "provenance": {}, "terminated": { "containerID": "cri-o://738d9ddf60a959d3a5306f907929bfa25e0a46eed7004fb04563ab300d14eab0", "exitCode": 0, "finishedAt": "2026-05-11T11:33:14Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8\\\", \\\"digests\\\": [\\\"sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 106, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:33:14+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:33:14Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans RPMs in an image and provide information about RPMs signatures.", "params": [ { "description": "Image URL", "name": "image-url", "type": "string" }, { "description": "Image digest to scan", "name": "image-digest", "type": "string" }, { "default": "/tmp", "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n", "name": "workdir", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Information about signed and unsigned RPMs", "name": "RPMS_DATA", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "200m", "memory": "256Mi" }, "requests": { "cpu": "200m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8" }, { "name": "IMAGE_DIGEST", "value": "sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c" }, { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/tools@sha256:b78a949c4a986724ae8e768ca315fc35bae5e0553de5cd2edd468d6a7d4b7e0f", "name": "rpms-signature-scan", "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n --image-url \"${IMAGE_URL}\" \\\n --image-digest \"${IMAGE_DIGEST}\" \\\n --workdir \"${WORKDIR}\" \\\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "50m", "memory": "32Mi" }, "requests": { "cpu": "50m", "memory": "32Mi" } }, "env": [ { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.53@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e", "name": "output-results", "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" } ] } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/4e0083838b526589303c456dd5d62ba0c526c630", "build.appstudio.redhat.com/commit_sha": "4e0083838b526589303c456dd5d62ba0c526c630", "build.appstudio.redhat.com/pull_request_number": "1", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "Merge Request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kdnfcv", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-pull-request-z74zt", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/sha-title": "Konflux update gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/source-branch": "konflux-gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/bab99032-a5c6-423f-b501-e77e798b45b7/records/31386f80-003a-4799-a03a-94236da7501e", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"4e0083838b526589303c456dd5d62ba0c526c630\",\"eventType\":\"Merge Request\",\"pull_request-id\":1}", "results.tekton.dev/result": "build-e2e-fnyl/results/bab99032-a5c6-423f-b501-e77e798b45b7", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-179a595b9f12d2c2f5d0da65c30a57b5-29aafc3474a4ff24-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-gl-multi-component-child-rexo" }, "creationTimestamp": "2026-05-11T11:33:52Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/event-type": "Merge_Request", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-pull-request-z74zt", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-pull-request-z74zt", "tekton.dev/pipelineRunUID": "bab99032-a5c6-423f-b501-e77e798b45b7", "tekton.dev/pipelineTask": "sast-unicode-check", "tekton.dev/task": "sast-unicode-check-oci-ta-min", "test.appstudio.openshift.io/pr-group-sha": "d1ba98afa7dcbc964b3a645bc57114d858b7dd07a21b636e869256c5c257a2" }, "name": "gl-multi-com92d67c6f44026f3890990cfcf3fd93be-sast-unicode-check", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-pull-request-z74zt", "uid": "bab99032-a5c6-423f-b501-e77e798b45b7" } ], "resourceVersion": "70574", "uid": "31386f80-003a-4799-a03a-94236da7501e" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:0bc701c77506c841a578551addc95b798cfdd98f949c79b38864032f321990fb" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "sast-unicode-check-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min:0.4@sha256:96badf0b06d83fc1e7cf50048f94091e257819ee537f063830541f9c97295200" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:34:03Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:34:03Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-com92d67c6f44026f3594e9ab11646b3e80b4cef1aedccc128-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "96badf0b06d83fc1e7cf50048f94091e257819ee537f063830541f9c97295200" }, "entryPoint": "sast-unicode-check-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:34:00+00:00\",\"note\":\"Task sast-unicode-check-oci-ta-min success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-179a595b9f12d2c2f5d0da65c30a57b5-29aafc3474a4ff24-01" }, "startTime": "2026-05-11T11:33:52Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:0cf6c1640011bd02c158e2c4fe9f8c4656b9aa751c08fc879d0a99bfb87d0789", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://2c158982405b98b8d21f0af3052546df130ce167df65892adf3796ddd38051f5", "exitCode": 0, "finishedAt": "2026-05-11T11:33:58Z", "reason": "Completed", "startedAt": "2026-05-11T11:33:57Z" }, "terminationReason": "Completed" }, { "container": "step-sast-unicode-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "sast-unicode-check", "provenance": {}, "terminated": { "containerID": "cri-o://10772ef218921ee2b1cf04a5f37807724eda5bf7d6015451ccc83e5644d0c414", "exitCode": 0, "finishedAt": "2026-05-11T11:34:00Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:34:00+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta-min success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:33:59Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:6504e165b4e1411ca55069091a989fd27722a64ee0e3ec9fa7be5cf31d8b595f", "name": "upload", "provenance": {}, "terminated": { "containerID": "cri-o://2177418c05953268c0f5bddaac385bee6d2d5076996b9637a4a635eb87b99af7", "exitCode": 0, "finishedAt": "2026-05-11T11:34:02Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:34:00+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta-min success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:34:00Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans source code for non-printable unicode characters in all text files.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "-p bidi -v -d -t", "description": "arguments for find-unicode-control command.", "name": "FIND_UNICODE_CONTROL_ARGS", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "description": "Image digest used for ORAS upload.", "name": "image-digest", "type": "string" }, { "description": "Image URL used for ORAS upload.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:0bc701c77506c841a578551addc95b798cfdd98f949c79b38864032f321990fb=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "128m", "memory": "256Mi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "FIND_UNICODE_CONTROL_ARGS", "value": "-p bidi -v -d -t" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_CODE_DIR", "value": "/var/workdir" }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-unicode-check", "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nOLD_IFS=\"$IFS\"\nIFS=\",\"\nfor d in $TARGET_DIRS; do\n ALL_TARGETS+=(\"${SOURCE_CODE_DIR}/source/${d}\")\ndone\nIFS=\"$OLD_IFS\"\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${ALL_TARGETS[@]}\" \\\n \u003eraw_sast_unicode_check_out.txt \\\n 2\u003eraw_sast_unicode_check_out.log ||\n FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n echo \"Failed to run find-unicode-control command\" \u003e\u00262\n cat raw_sast_unicode_check_out.log\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n --mode=json\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"${SCAN_PROP}\"\n --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003eprocessed_sast_unicode_check_out.json 2\u003eprocessed_sast_unicode_check_out.err; then\n echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n cat processed_sast_unicode_check_out.err\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # Build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n # Append --record-excluded option if RECORD_EXCLUDED is true\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003esast_unicode_check_out.json 2\u003esast_unicode_check_out.error\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n else\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003esast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n note=\"Task sast-unicode-check-oci-ta-min success: No finding was detected\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s sast_unicode_check_out.sarif ]]; then\n note=\"Task sast-unicode-check-oci-ta-min success: Some findings were detected, but filtered by known false positive\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n echo \"sast-unicode-check test failed because of the following issues:\"\n cat sast_unicode_check_out.json\n TEST_OUTPUT=\n parse_test_output \"sast-unicode-check-oci-ta-min\" sarif sast_unicode_check_out.sarif || true\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630" }, { "name": "IMAGE_DIGEST", "value": "sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n echo 'No image-url param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n MEDIA_TYPE=application/json\n else\n MEDIA_TYPE=application/sarif+json\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"${IMAGE_URL}\" \u003e\"${HOME}/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/tree/a4ffc1f03a6b1d97283b12282412840055fc92a8", "build.appstudio.redhat.com/commit_sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "build.appstudio.redhat.com/pull_request_number": "1", "build.appstudio.redhat.com/target_branch": "multi-component-parent-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "Merge Request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vbxbvj", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-parent-rexo-on-pull-request-phvwk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-parent-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/commit/a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/source-branch": "konflux-gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090806", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090806", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72/records/a7f89f4a-f644-429e-8ad1-6a912c8296a7", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-parent-twjokv\",\"commit\":\"a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"eventType\":\"Merge Request\",\"pull_request-id\":1}", "results.tekton.dev/result": "build-e2e-fnyl/results/ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-131fd24f9dcfacc403d70387aa8147ad-db8309da5941abe7-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-gl-multi-component-parent-rexo" }, "creationTimestamp": "2026-05-11T11:33:01Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-parent-rexo", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/event-type": "Merge_Request", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "tekton.dev/pipelineRun": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "tekton.dev/pipelineRunUID": "ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72", "tekton.dev/pipelineTask": "sast-unicode-check", "tekton.dev/task": "sast-unicode-check-oci-ta-min", "test.appstudio.openshift.io/pr-group-sha": "2778624c4a783d65d3c448c05b3262242550994fa145dbeb5c211458cf2137" }, "name": "gl-multi-comfaac7f96143ff37f9d4607fcb669791b-sast-unicode-check", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "uid": "ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72" } ], "resourceVersion": "70129", "uid": "a7f89f4a-f644-429e-8ad1-6a912c8296a7" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:422b19ebe154c353b0114171718af5c00ba3eedf4cfb158f6b8b6c02f501ac07" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskRef": { "params": [ { "name": "name", "value": "sast-unicode-check-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min:0.4@sha256:96badf0b06d83fc1e7cf50048f94091e257819ee537f063830541f9c97295200" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:33:51Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:33:51Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-comfaac7f96143ff37199e56ca73b909f829d602ef9ba319c1-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "96badf0b06d83fc1e7cf50048f94091e257819ee537f063830541f9c97295200" }, "entryPoint": "sast-unicode-check-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:33:49+00:00\",\"note\":\"Task sast-unicode-check-oci-ta-min success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-131fd24f9dcfacc403d70387aa8147ad-db8309da5941abe7-01" }, "startTime": "2026-05-11T11:33:01Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:0cf6c1640011bd02c158e2c4fe9f8c4656b9aa751c08fc879d0a99bfb87d0789", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://b27647942f6599b7e505d8fa1bad51fbb9e7aa7cec8df78406e8b924e3576540", "exitCode": 0, "finishedAt": "2026-05-11T11:33:47Z", "reason": "Completed", "startedAt": "2026-05-11T11:33:47Z" }, "terminationReason": "Completed" }, { "container": "step-sast-unicode-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "sast-unicode-check", "provenance": {}, "terminated": { "containerID": "cri-o://0bb6ca77238037560d69065f29beccc0724c1ec07fc0e7bb3de988b3a14afc90", "exitCode": 0, "finishedAt": "2026-05-11T11:33:49Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:33:49+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta-min success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:33:48Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:6504e165b4e1411ca55069091a989fd27722a64ee0e3ec9fa7be5cf31d8b595f", "name": "upload", "provenance": {}, "terminated": { "containerID": "cri-o://7f17574a1613e9595e26c19d9998d39f850e7afaf6651bb2ab9b6e66c1ca9b42", "exitCode": 0, "finishedAt": "2026-05-11T11:33:51Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:33:49+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta-min success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:33:50Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans source code for non-printable unicode characters in all text files.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "-p bidi -v -d -t", "description": "arguments for find-unicode-control command.", "name": "FIND_UNICODE_CONTROL_ARGS", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "description": "Image digest used for ORAS upload.", "name": "image-digest", "type": "string" }, { "description": "Image URL used for ORAS upload.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:422b19ebe154c353b0114171718af5c00ba3eedf4cfb158f6b8b6c02f501ac07=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "128m", "memory": "256Mi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "FIND_UNICODE_CONTROL_ARGS", "value": "-p bidi -v -d -t" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_CODE_DIR", "value": "/var/workdir" }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-unicode-check", "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nOLD_IFS=\"$IFS\"\nIFS=\",\"\nfor d in $TARGET_DIRS; do\n ALL_TARGETS+=(\"${SOURCE_CODE_DIR}/source/${d}\")\ndone\nIFS=\"$OLD_IFS\"\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${ALL_TARGETS[@]}\" \\\n \u003eraw_sast_unicode_check_out.txt \\\n 2\u003eraw_sast_unicode_check_out.log ||\n FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n echo \"Failed to run find-unicode-control command\" \u003e\u00262\n cat raw_sast_unicode_check_out.log\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n --mode=json\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"${SCAN_PROP}\"\n --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003eprocessed_sast_unicode_check_out.json 2\u003eprocessed_sast_unicode_check_out.err; then\n echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n cat processed_sast_unicode_check_out.err\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # Build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n # Append --record-excluded option if RECORD_EXCLUDED is true\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003esast_unicode_check_out.json 2\u003esast_unicode_check_out.error\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n else\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003esast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n note=\"Task sast-unicode-check-oci-ta-min success: No finding was detected\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s sast_unicode_check_out.sarif ]]; then\n note=\"Task sast-unicode-check-oci-ta-min success: Some findings were detected, but filtered by known false positive\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n echo \"sast-unicode-check test failed because of the following issues:\"\n cat sast_unicode_check_out.json\n TEST_OUTPUT=\n parse_test_output \"sast-unicode-check-oci-ta-min\" sarif sast_unicode_check_out.sarif || true\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8" }, { "name": "IMAGE_DIGEST", "value": "sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n echo 'No image-url param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n MEDIA_TYPE=application/json\n else\n MEDIA_TYPE=application/sarif+json\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"${IMAGE_URL}\" \u003e\"${HOME}/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/4e0083838b526589303c456dd5d62ba0c526c630", "build.appstudio.redhat.com/commit_sha": "4e0083838b526589303c456dd5d62ba0c526c630", "build.appstudio.redhat.com/pull_request_number": "1", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "Merge Request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kdnfcv", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-pull-request-z74zt", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/sha-title": "Konflux update gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/source-branch": "konflux-gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/bab99032-a5c6-423f-b501-e77e798b45b7/records/38781b01-f703-4d0c-80e6-e31fce0ebf3b", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"4e0083838b526589303c456dd5d62ba0c526c630\",\"eventType\":\"Merge Request\",\"pull_request-id\":1}", "results.tekton.dev/result": "build-e2e-fnyl/results/bab99032-a5c6-423f-b501-e77e798b45b7", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-179a595b9f12d2c2f5d0da65c30a57b5-b9ecaf7517a5cf83-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-gl-multi-component-child-rexo" }, "creationTimestamp": "2026-05-11T11:32:22Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "build.appstudio.redhat.com/build_type": "docker", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/event-type": "Merge_Request", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-pull-request-z74zt", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-pull-request-z74zt", "tekton.dev/pipelineRunUID": "bab99032-a5c6-423f-b501-e77e798b45b7", "tekton.dev/pipelineTask": "build-image-index", "tekton.dev/task": "build-image-index-min", "test.appstudio.openshift.io/pr-group-sha": "d1ba98afa7dcbc964b3a645bc57114d858b7dd07a21b636e869256c5c257a2" }, "name": "gl-multi-comp92d67c6f44026f3890990cfcf3fd93be-build-image-index", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-pull-request-z74zt", "uid": "bab99032-a5c6-423f-b501-e77e798b45b7" } ], "resourceVersion": "70451", "uid": "38781b01-f703-4d0c-80e6-e31fce0ebf3b" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "IMAGES", "value": [ "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630@sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a" ] }, { "name": "BUILDAH_FORMAT", "value": "docker" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "build-image-index-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index-min:0.3@sha256:fbb362f21e559606f8941cde6a2c0507c8af6cfc8bee88ffc38032e8e80b4b7e" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:33:51Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:33:51Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-comp92d67c6f44026f4a2eb9d1062ea25662e2efc40ece9a7a-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "fbb362f21e559606f8941cde6a2c0507c8af6cfc8bee88ffc38032e8e80b4b7e" }, "entryPoint": "build-image-index-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index-min" } }, "results": [ { "name": "IMAGES", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a" }, { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630" } ], "spanContext": { "traceparent": "00-179a595b9f12d2c2f5d0da65c30a57b5-b9ecaf7517a5cf83-01" }, "startTime": "2026-05-11T11:32:22Z", "steps": [ { "container": "step-build", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "build", "provenance": {}, "terminated": { "containerID": "cri-o://3b776cfd0a65c5a7665fddb67fd9b5a69c8588851f42f3c07de8400097bc71a7", "exitCode": 0, "finishedAt": "2026-05-11T11:33:48Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:33:45Z" }, "terminationReason": "Completed" }, { "container": "step-create-sbom", "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094", "name": "create-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://ccc4e2d797ffc4a688042785132521bffc56e5fc9aa93f8bd44bda5b17915bd1", "exitCode": 0, "finishedAt": "2026-05-11T11:33:49Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:33:49Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://b2425a5415266e42ed7d1f329031f732ba5b37919aefec57615c108f99a4a00b", "exitCode": 0, "finishedAt": "2026-05-11T11:33:51Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:33:49Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "This takes existing Image Manifests and combines them in an Image Index.", "params": [ { "description": "The target image and tag where the image will be pushed to.", "name": "IMAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "description": "List of Image Manifests to be referenced by the Image Index", "name": "IMAGES", "type": "array" }, { "default": "true", "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.", "name": "ALWAYS_BUILD_INDEX", "type": "string" }, { "default": "vfs", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": "false", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "List of all referenced image manifests", "name": "IMAGES", "type": "string" }, { "description": "Image reference of the built image containing both the repository and the digest", "name": "IMAGE_REF", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "vfs" } ], "volumeMounts": [ { "mountPath": "/index-build-data", "name": "shared-dir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630@sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/konflux-build-cli:latest@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "build", "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\n\necho \"Running konflux-build-cli\"\nif ! konflux-build-cli image build-image-index \\\n --image \"$IMAGE\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --buildah-format \"$BUILDAH_FORMAT\" \\\n --always-build-index=\"$ALWAYS_BUILD_INDEX\" \\\n --additional-tags \"gl-multi-comp92d67c6f44026f3890990cfcf3fd93be-build-image-index\" \\\n --output-manifest-path \"$MANIFEST_DATA_FILE\" \\\n --result-path-image-digest \"/tekton/results/IMAGE_DIGEST\" \\\n --result-path-image-url \"/tekton/results/IMAGE_URL\" \\\n --result-path-image-ref \"/tekton/results/IMAGE_REF\" \\\n --result-path-images \"/tekton/results/IMAGES\" \\\n --images \"$@\"; then\n echo \"Failed to build image index\"\n exit 1\nfi\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 } }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094", "name": "create-sbom", "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-index\n --index-image-pullspec \"$IMAGE_URL\"\n --index-image-digest \"$IMAGE_DIGEST\"\n --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 } } ], "volumes": [ { "emptyDir": {}, "name": "shared-dir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/tree/a4ffc1f03a6b1d97283b12282412840055fc92a8", "build.appstudio.redhat.com/commit_sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "build.appstudio.redhat.com/pull_request_number": "1", "build.appstudio.redhat.com/target_branch": "multi-component-parent-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "Merge Request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vbxbvj", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-parent-rexo-on-pull-request-phvwk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-parent-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/commit/a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/source-branch": "konflux-gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090806", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090806", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72/records/40be17f1-41f5-41c1-a6e6-52cf3548ee1f", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-parent-twjokv\",\"commit\":\"a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"eventType\":\"Merge Request\",\"pull_request-id\":1}", "results.tekton.dev/result": "build-e2e-fnyl/results/ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-131fd24f9dcfacc403d70387aa8147ad-993ebd3f7525db5f-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-gl-multi-component-parent-rexo" }, "creationTimestamp": "2026-05-11T11:32:48Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-parent-rexo", "build.appstudio.redhat.com/build_type": "docker", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/event-type": "Merge_Request", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "tekton.dev/pipelineRun": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "tekton.dev/pipelineRunUID": "ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72", "tekton.dev/pipelineTask": "build-image-index", "tekton.dev/task": "build-image-index-min", "test.appstudio.openshift.io/pr-group-sha": "2778624c4a783d65d3c448c05b3262242550994fa145dbeb5c211458cf2137" }, "name": "gl-multi-compfaac7f96143ff37f9d4607fcb669791b-build-image-index", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "uid": "ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72" } ], "resourceVersion": "68872", "uid": "40be17f1-41f5-41c1-a6e6-52cf3548ee1f" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "IMAGES", "value": [ "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8@sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c" ] }, { "name": "BUILDAH_FORMAT", "value": "docker" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskRef": { "params": [ { "name": "name", "value": "build-image-index-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index-min:0.3@sha256:fbb362f21e559606f8941cde6a2c0507c8af6cfc8bee88ffc38032e8e80b4b7e" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:33:00Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:33:00Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-compfaac7f96143ff3940d8c3f65bfbb059a33ecf03f22a6ca-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "fbb362f21e559606f8941cde6a2c0507c8af6cfc8bee88ffc38032e8e80b4b7e" }, "entryPoint": "build-image-index-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index-min" } }, "results": [ { "name": "IMAGES", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c" }, { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8" } ], "spanContext": { "traceparent": "00-131fd24f9dcfacc403d70387aa8147ad-993ebd3f7525db5f-01" }, "startTime": "2026-05-11T11:32:48Z", "steps": [ { "container": "step-build", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "build", "provenance": {}, "terminated": { "containerID": "cri-o://e7b2d1c8f2f4cc6dc5d33298af7a6b13c241558e782ea98d58c436ad3baa325c", "exitCode": 0, "finishedAt": "2026-05-11T11:32:57Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:32:54Z" }, "terminationReason": "Completed" }, { "container": "step-create-sbom", "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094", "name": "create-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://c8ea796564c9353bc763507e7759648bef29219b285075c954185923dab9c8e5", "exitCode": 0, "finishedAt": "2026-05-11T11:32:57Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:32:57Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://84c6c2dad13a173b7bee5404d7183f570ab7dc2b40436649a43a769c2ea08c9e", "exitCode": 0, "finishedAt": "2026-05-11T11:33:00Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:32:58Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "This takes existing Image Manifests and combines them in an Image Index.", "params": [ { "description": "The target image and tag where the image will be pushed to.", "name": "IMAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "description": "List of Image Manifests to be referenced by the Image Index", "name": "IMAGES", "type": "array" }, { "default": "true", "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.", "name": "ALWAYS_BUILD_INDEX", "type": "string" }, { "default": "vfs", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": "false", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "List of all referenced image manifests", "name": "IMAGES", "type": "string" }, { "description": "Image reference of the built image containing both the repository and the digest", "name": "IMAGE_REF", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "vfs" } ], "volumeMounts": [ { "mountPath": "/index-build-data", "name": "shared-dir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8@sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/konflux-build-cli:latest@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "build", "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\n\necho \"Running konflux-build-cli\"\nif ! konflux-build-cli image build-image-index \\\n --image \"$IMAGE\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --buildah-format \"$BUILDAH_FORMAT\" \\\n --always-build-index=\"$ALWAYS_BUILD_INDEX\" \\\n --additional-tags \"gl-multi-compfaac7f96143ff37f9d4607fcb669791b-build-image-index\" \\\n --output-manifest-path \"$MANIFEST_DATA_FILE\" \\\n --result-path-image-digest \"/tekton/results/IMAGE_DIGEST\" \\\n --result-path-image-url \"/tekton/results/IMAGE_URL\" \\\n --result-path-image-ref \"/tekton/results/IMAGE_REF\" \\\n --result-path-images \"/tekton/results/IMAGES\" \\\n --images \"$@\"; then\n echo \"Failed to build image index\"\n exit 1\nfi\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 } }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094", "name": "create-sbom", "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-index\n --index-image-pullspec \"$IMAGE_URL\"\n --index-image-digest \"$IMAGE_DIGEST\"\n --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 } } ], "volumes": [ { "emptyDir": {}, "name": "shared-dir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/4e0083838b526589303c456dd5d62ba0c526c630", "build.appstudio.redhat.com/commit_sha": "4e0083838b526589303c456dd5d62ba0c526c630", "build.appstudio.redhat.com/pull_request_number": "1", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "Merge Request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kdnfcv", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-pull-request-z74zt", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/sha-title": "Konflux update gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/source-branch": "konflux-gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/bab99032-a5c6-423f-b501-e77e798b45b7/records/1987a9e1-15ff-4a39-a87a-7232ed794532", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"4e0083838b526589303c456dd5d62ba0c526c630\",\"eventType\":\"Merge Request\",\"pull_request-id\":1}", "results.tekton.dev/result": "build-e2e-fnyl/results/bab99032-a5c6-423f-b501-e77e798b45b7", "results.tekton.dev/stored": "true", "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone oci trusted artifacts", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-179a595b9f12d2c2f5d0da65c30a57b5-f4d0bb35dcb41fd2-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-gl-multi-component-child-rexo" }, "creationTimestamp": "2026-05-11T11:28:07Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/event-type": "Merge_Request", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-pull-request-z74zt", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-pull-request-z74zt", "tekton.dev/pipelineRunUID": "bab99032-a5c6-423f-b501-e77e798b45b7", "tekton.dev/pipelineTask": "clone-repository", "tekton.dev/task": "git-clone-oci-ta-min", "test.appstudio.openshift.io/pr-group-sha": "d1ba98afa7dcbc964b3a645bc57114d858b7dd07a21b636e869256c5c257a2" }, "name": "gl-multi-compo92d67c6f44026f3890990cfcf3fd93be-clone-repository", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-pull-request-z74zt", "uid": "bab99032-a5c6-423f-b501-e77e798b45b7" } ], "resourceVersion": "60145", "uid": "1987a9e1-15ff-4a39-a87a-7232ed794532" }, "spec": { "params": [ { "name": "url", "value": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv" }, { "name": "revision", "value": "4e0083838b526589303c456dd5d62ba0c526c630" }, { "name": "ociStorage", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630.git" }, { "name": "ociArtifactExpiresAfter", "value": "6h" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "git-clone-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min:0.1@sha256:ad1487d03967da7e9e032ba47b094ebf7e46c8e6f5d47faa9f8c15e1617fb208" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "basic-auth", "secret": { "secretName": "pac-gitauth-kdnfcv" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:28:16Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:28:16Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-compo92d67c6f440263d84d9cf0b58effceffec123edc2d0c0-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "ad1487d03967da7e9e032ba47b094ebf7e46c8e6f5d47faa9f8c15e1617fb208" }, "entryPoint": "git-clone-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min" } }, "results": [ { "name": "CHAINS-GIT_COMMIT", "type": "string", "value": "4e0083838b526589303c456dd5d62ba0c526c630" }, { "name": "CHAINS-GIT_URL", "type": "string", "value": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv" }, { "name": "commit", "type": "string", "value": "4e0083838b526589303c456dd5d62ba0c526c630" }, { "name": "commit-timestamp", "type": "string", "value": "1778498854" }, { "name": "short-commit", "type": "string", "value": "4e00838" }, { "name": "url", "type": "string", "value": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:0bc701c77506c841a578551addc95b798cfdd98f949c79b38864032f321990fb" } ], "spanContext": { "traceparent": "00-179a595b9f12d2c2f5d0da65c30a57b5-f4d0bb35dcb41fd2-01" }, "startTime": "2026-05-11T11:28:07Z", "steps": [ { "container": "step-clone", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "provenance": {}, "terminated": { "containerID": "cri-o://3e78c27135372e4810f1f4cb3dcacb065c1bf238896f09774ce926582bb129d0", "exitCode": 0, "finishedAt": "2026-05-11T11:28:13Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"4e0083838b526589303c456dd5d62ba0c526c630\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-child-twjokv\",\"type\":1},{\"key\":\"commit\",\"value\":\"4e0083838b526589303c456dd5d62ba0c526c630\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778498854\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"4e00838\",\"type\":1},{\"key\":\"url\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-child-twjokv\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:13Z" }, "terminationReason": "Completed" }, { "container": "step-symlink-check", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "provenance": {}, "terminated": { "containerID": "cri-o://993fcb94ee4dc1ed3bdeae88777b524bdfb91fc73a075710da39221b0c8f0f83", "exitCode": 0, "finishedAt": "2026-05-11T11:28:14Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"4e0083838b526589303c456dd5d62ba0c526c630\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-child-twjokv\",\"type\":1},{\"key\":\"commit\",\"value\":\"4e0083838b526589303c456dd5d62ba0c526c630\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778498854\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"4e00838\",\"type\":1},{\"key\":\"url\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-child-twjokv\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:14Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "create-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://7b03b4b20d975975ad2b8af88d70d1f2f5c788a0b805327dda49b50e3a4eaf95", "exitCode": 0, "finishedAt": "2026-05-11T11:28:15Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"4e0083838b526589303c456dd5d62ba0c526c630\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-child-twjokv\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:0bc701c77506c841a578551addc95b798cfdd98f949c79b38864032f321990fb\",\"type\":1},{\"key\":\"commit\",\"value\":\"4e0083838b526589303c456dd5d62ba0c526c630\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778498854\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"4e00838\",\"type\":1},{\"key\":\"url\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-child-twjokv\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:14Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted artifact in the provided OCI repository.", "params": [ { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" } ], "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "PARAM_URL", "value": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv" }, { "name": "PARAM_REVISION", "value": "4e0083838b526589303c456dd5d62ba0c526c630" }, { "name": "PARAM_REFSPEC" }, { "name": "PARAM_SUBMODULES", "value": "true" }, { "name": "PARAM_SUBMODULE_PATHS" }, { "name": "PARAM_DEPTH", "value": "1" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "7" }, { "name": "PARAM_SSL_VERIFY", "value": "true" }, { "name": "PARAM_HTTP_PROXY" }, { "name": "PARAM_HTTPS_PROXY" }, { "name": "PARAM_NO_PROXY" }, { "name": "PARAM_VERBOSE", "value": "false" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES" }, { "name": "PARAM_USER_HOME", "value": "/tekton/home" }, { "name": "PARAM_FETCH_TAGS", "value": "false" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "false" }, { "name": "PARAM_TARGET_BRANCH", "value": "main" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL" }, { "name": "PARAM_MERGE_SOURCE_DEPTH" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "false" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "true" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH", "value": "/workspace/basic-auth" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ]; then\n set -x\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ]; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e\"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e\"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ]; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n\n if ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit 1\n fi\n\n # Check if there are changes staged for commit\n if git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\n else\n echo \"Merge successful (no conflicts found), committing...\"\n if ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit 1\n fi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e\"/tekton/results/merged_sha\"\n fi\n\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e\"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e\"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ]; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "true" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink; do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ]; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ]; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "args": [ "create", "--store", "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630.git", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "6h" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "create-trusted-artifact", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/4e0083838b526589303c456dd5d62ba0c526c630", "build.appstudio.redhat.com/commit_sha": "4e0083838b526589303c456dd5d62ba0c526c630", "build.appstudio.redhat.com/pull_request_number": "1", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "Merge Request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kdnfcv", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-pull-request-z74zt", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/sha-title": "Konflux update gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/source-branch": "konflux-gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/bab99032-a5c6-423f-b501-e77e798b45b7/records/3b1c314b-be93-45de-9271-5551cbdf16f2", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"4e0083838b526589303c456dd5d62ba0c526c630\",\"eventType\":\"Merge Request\",\"pull_request-id\":1}", "results.tekton.dev/result": "build-e2e-fnyl/results/bab99032-a5c6-423f-b501-e77e798b45b7", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-179a595b9f12d2c2f5d0da65c30a57b5-f139715e04dcfbec-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-gl-multi-component-child-rexo" }, "creationTimestamp": "2026-05-11T11:33:52Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/event-type": "Merge_Request", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-pull-request-z74zt", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-pull-request-z74zt", "tekton.dev/pipelineRunUID": "bab99032-a5c6-423f-b501-e77e798b45b7", "tekton.dev/pipelineTask": "sast-shell-check", "tekton.dev/task": "sast-shell-check-oci-ta-min", "test.appstudio.openshift.io/pr-group-sha": "d1ba98afa7dcbc964b3a645bc57114d858b7dd07a21b636e869256c5c257a2" }, "name": "gl-multi-compo92d67c6f44026f3890990cfcf3fd93be-sast-shell-check", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-pull-request-z74zt", "uid": "bab99032-a5c6-423f-b501-e77e798b45b7" } ], "resourceVersion": "71590", "uid": "3b1c314b-be93-45de-9271-5551cbdf16f2" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:0bc701c77506c841a578551addc95b798cfdd98f949c79b38864032f321990fb" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "sast-shell-check-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min:0.1@sha256:ecfae10944b45b91988ddc6311c7232bf2c98ba73c5fc6261861ecfd33434db0" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:34:34Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:34:34Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-compo92d67c6f44026be57e41e356a687b0bd8fc8ee43979c1-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "ecfae10944b45b91988ddc6311c7232bf2c98ba73c5fc6261861ecfd33434db0" }, "entryPoint": "sast-shell-check-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:34:32+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-179a595b9f12d2c2f5d0da65c30a57b5-f139715e04dcfbec-01" }, "startTime": "2026-05-11T11:33:52Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:0cf6c1640011bd02c158e2c4fe9f8c4656b9aa751c08fc879d0a99bfb87d0789", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://24fc2fd2d5867a0a0e7572e1689b1f1bd03dff8c85d23eaa451cd8ac18c5da2c", "exitCode": 0, "finishedAt": "2026-05-11T11:34:22Z", "reason": "Completed", "startedAt": "2026-05-11T11:34:21Z" }, "terminationReason": "Completed" }, { "container": "step-sast-shell-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "sast-shell-check", "provenance": {}, "terminated": { "containerID": "cri-o://954e9db225e515b109b982335c0f6e513cb5b10e60ff9419d4c13befa8445f7e", "exitCode": 0, "finishedAt": "2026-05-11T11:34:32Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:34:32+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:34:22Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:6504e165b4e1411ca55069091a989fd27722a64ee0e3ec9fa7be5cf31d8b595f", "name": "upload", "provenance": {}, "terminated": { "containerID": "cri-o://fb8798f7717ac2d6f1d390407e52e704baef468f23ae01157ae660e90482d8e4", "exitCode": 0, "finishedAt": "2026-05-11T11:34:33Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:34:32+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:34:32Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "true", "description": "Whether to include important findings only", "name": "IMP_FINDINGS_ONLY", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Image digest to report findings for.", "name": "image-digest", "type": "string" }, { "default": "", "description": "Image URL.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:0bc701c77506c841a578551addc95b798cfdd98f949c79b38864032f321990fb=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "128m", "memory": "256Mi" }, "requests": { "cpu": "128m", "memory": "256Mi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "IMP_FINDINGS_ONLY", "value": "true" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-shell-check", "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/var/workdir/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c\"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n resolved_path=$(realpath -m \"$potential_path\")\n\n # ensure resolved path is still within SOURCE_CODE_DIR\n if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n ALL_TARGETS+=(\"$resolved_path\")\n else\n echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n exit 1\n fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n read -r quota period \u003c/sys/fs/cgroup/cpu.max\n if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n export SC_JOBS=$(((quota + period - 1) / period))\n echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n --mode=json\n --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n # predefined list of shellcheck important findings\n CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n CSGREP_OPTS+=(\n --event=\"$CSGREP_EVENT_FILTER\"\n )\nelse\n CSGREP_OPTS+=(\n --event=\"error|warning\"\n )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e\"$OUTPUT_FILE\"; then\n echo \"Error occurred while running 'run-shellcheck.sh'\"\n note=\"Task sast-shell-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e\"${OUTPUT_FILE}.filtered\" 2\u003e\"${OUTPUT_FILE}.error\"\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n else\n mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003eshellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check-oci-ta-min\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630" }, { "name": "IMAGE_DIGEST", "value": "sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n echo 'No image-url or image-digest param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n # Determine the media type based on the file extension\n if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n MEDIA_TYPE=\"application/json\"\n else\n MEDIA_TYPE=\"application/sarif+json\"\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"$IMAGE_URL\" \u003e\"$HOME/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"; then\n echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n exit 1\n fi\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/tree/a4ffc1f03a6b1d97283b12282412840055fc92a8", "build.appstudio.redhat.com/commit_sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "build.appstudio.redhat.com/pull_request_number": "1", "build.appstudio.redhat.com/target_branch": "multi-component-parent-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "Merge Request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vbxbvj", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-parent-rexo-on-pull-request-phvwk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-parent-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/commit/a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/source-branch": "konflux-gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090806", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090806", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72/records/f2082660-ec18-42bc-9a8a-6dbde5740c97", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-parent-twjokv\",\"commit\":\"a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"eventType\":\"Merge Request\",\"pull_request-id\":1}", "results.tekton.dev/result": "build-e2e-fnyl/results/ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72", "results.tekton.dev/stored": "true", "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone oci trusted artifacts", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-131fd24f9dcfacc403d70387aa8147ad-5a1231bc96ba3631-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-gl-multi-component-parent-rexo" }, "creationTimestamp": "2026-05-11T11:28:27Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-parent-rexo", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/event-type": "Merge_Request", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "tekton.dev/pipelineRun": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "tekton.dev/pipelineRunUID": "ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72", "tekton.dev/pipelineTask": "clone-repository", "tekton.dev/task": "git-clone-oci-ta-min", "test.appstudio.openshift.io/pr-group-sha": "2778624c4a783d65d3c448c05b3262242550994fa145dbeb5c211458cf2137" }, "name": "gl-multi-compofaac7f96143ff37f9d4607fcb669791b-clone-repository", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "uid": "ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72" } ], "resourceVersion": "61017", "uid": "f2082660-ec18-42bc-9a8a-6dbde5740c97" }, "spec": { "params": [ { "name": "url", "value": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv" }, { "name": "revision", "value": "a4ffc1f03a6b1d97283b12282412840055fc92a8" }, { "name": "ociStorage", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8.git" }, { "name": "ociArtifactExpiresAfter", "value": "6h" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskRef": { "params": [ { "name": "name", "value": "git-clone-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min:0.1@sha256:ad1487d03967da7e9e032ba47b094ebf7e46c8e6f5d47faa9f8c15e1617fb208" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "basic-auth", "secret": { "secretName": "pac-gitauth-vbxbvj" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:28:35Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:28:35Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-compofaac7f96143ff127d68418b0a3a51c0c9ccd18f218528-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "ad1487d03967da7e9e032ba47b094ebf7e46c8e6f5d47faa9f8c15e1617fb208" }, "entryPoint": "git-clone-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min" } }, "results": [ { "name": "CHAINS-GIT_COMMIT", "type": "string", "value": "a4ffc1f03a6b1d97283b12282412840055fc92a8" }, { "name": "CHAINS-GIT_URL", "type": "string", "value": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv" }, { "name": "commit", "type": "string", "value": "a4ffc1f03a6b1d97283b12282412840055fc92a8" }, { "name": "commit-timestamp", "type": "string", "value": "1778498893" }, { "name": "short-commit", "type": "string", "value": "a4ffc1f" }, { "name": "url", "type": "string", "value": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:422b19ebe154c353b0114171718af5c00ba3eedf4cfb158f6b8b6c02f501ac07" } ], "spanContext": { "traceparent": "00-131fd24f9dcfacc403d70387aa8147ad-5a1231bc96ba3631-01" }, "startTime": "2026-05-11T11:28:27Z", "steps": [ { "container": "step-clone", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "provenance": {}, "terminated": { "containerID": "cri-o://3a4b230cf655c597cc32129710853d8d710d526d39c62f6f6d50aeb120bb2391", "exitCode": 0, "finishedAt": "2026-05-11T11:28:33Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-parent-twjokv\",\"type\":1},{\"key\":\"commit\",\"value\":\"a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778498893\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"a4ffc1f\",\"type\":1},{\"key\":\"url\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-parent-twjokv\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:32Z" }, "terminationReason": "Completed" }, { "container": "step-symlink-check", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "provenance": {}, "terminated": { "containerID": "cri-o://3bd0fa38f16080e35e8c3105b72e2ff6df33e5685a9c5797f714b00f77ece980", "exitCode": 0, "finishedAt": "2026-05-11T11:28:33Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-parent-twjokv\",\"type\":1},{\"key\":\"commit\",\"value\":\"a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778498893\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"a4ffc1f\",\"type\":1},{\"key\":\"url\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-parent-twjokv\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:33Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "create-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://4311be0e3981e2920e9363603bfb421af45de0b954e0378b9925ca3aac66ffd8", "exitCode": 0, "finishedAt": "2026-05-11T11:28:34Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-parent-twjokv\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:422b19ebe154c353b0114171718af5c00ba3eedf4cfb158f6b8b6c02f501ac07\",\"type\":1},{\"key\":\"commit\",\"value\":\"a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778498893\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"a4ffc1f\",\"type\":1},{\"key\":\"url\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-parent-twjokv\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:33Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted artifact in the provided OCI repository.", "params": [ { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" } ], "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "PARAM_URL", "value": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv" }, { "name": "PARAM_REVISION", "value": "a4ffc1f03a6b1d97283b12282412840055fc92a8" }, { "name": "PARAM_REFSPEC" }, { "name": "PARAM_SUBMODULES", "value": "true" }, { "name": "PARAM_SUBMODULE_PATHS" }, { "name": "PARAM_DEPTH", "value": "1" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "7" }, { "name": "PARAM_SSL_VERIFY", "value": "true" }, { "name": "PARAM_HTTP_PROXY" }, { "name": "PARAM_HTTPS_PROXY" }, { "name": "PARAM_NO_PROXY" }, { "name": "PARAM_VERBOSE", "value": "false" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES" }, { "name": "PARAM_USER_HOME", "value": "/tekton/home" }, { "name": "PARAM_FETCH_TAGS", "value": "false" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "false" }, { "name": "PARAM_TARGET_BRANCH", "value": "main" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL" }, { "name": "PARAM_MERGE_SOURCE_DEPTH" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "false" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "true" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH", "value": "/workspace/basic-auth" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ]; then\n set -x\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ]; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e\"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e\"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ]; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n\n if ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit 1\n fi\n\n # Check if there are changes staged for commit\n if git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\n else\n echo \"Merge successful (no conflicts found), committing...\"\n if ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit 1\n fi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e\"/tekton/results/merged_sha\"\n fi\n\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e\"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e\"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ]; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "true" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink; do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ]; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ]; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "args": [ "create", "--store", "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8.git", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "6h" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "create-trusted-artifact", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/tree/a4ffc1f03a6b1d97283b12282412840055fc92a8", "build.appstudio.redhat.com/commit_sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "build.appstudio.redhat.com/pull_request_number": "1", "build.appstudio.redhat.com/target_branch": "multi-component-parent-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "Merge Request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vbxbvj", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-parent-rexo-on-pull-request-phvwk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-parent-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/commit/a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/source-branch": "konflux-gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090806", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090806", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72/records/90c52de1-e15e-4854-9f0f-a9960f7326b4", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-parent-twjokv\",\"commit\":\"a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"eventType\":\"Merge Request\",\"pull_request-id\":1}", "results.tekton.dev/result": "build-e2e-fnyl/results/ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-131fd24f9dcfacc403d70387aa8147ad-bd91babf0ff856e4-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-gl-multi-component-parent-rexo" }, "creationTimestamp": "2026-05-11T11:33:01Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-parent-rexo", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/event-type": "Merge_Request", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "tekton.dev/pipelineRun": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "tekton.dev/pipelineRunUID": "ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72", "tekton.dev/pipelineTask": "sast-shell-check", "tekton.dev/task": "sast-shell-check-oci-ta-min", "test.appstudio.openshift.io/pr-group-sha": "2778624c4a783d65d3c448c05b3262242550994fa145dbeb5c211458cf2137" }, "name": "gl-multi-compofaac7f96143ff37f9d4607fcb669791b-sast-shell-check", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "uid": "ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72" } ], "resourceVersion": "70879", "uid": "90c52de1-e15e-4854-9f0f-a9960f7326b4" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:422b19ebe154c353b0114171718af5c00ba3eedf4cfb158f6b8b6c02f501ac07" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskRef": { "params": [ { "name": "name", "value": "sast-shell-check-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min:0.1@sha256:ecfae10944b45b91988ddc6311c7232bf2c98ba73c5fc6261861ecfd33434db0" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:34:16Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:34:16Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-compofaac7f96143ffa6a9beba2f9f31456ee3a43fe0617723-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "ecfae10944b45b91988ddc6311c7232bf2c98ba73c5fc6261861ecfd33434db0" }, "entryPoint": "sast-shell-check-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:33:59+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-131fd24f9dcfacc403d70387aa8147ad-bd91babf0ff856e4-01" }, "startTime": "2026-05-11T11:33:01Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:0cf6c1640011bd02c158e2c4fe9f8c4656b9aa751c08fc879d0a99bfb87d0789", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://e21127dcb985f7643964bcf775b5b4edf64bd54dab5e33a9128a1de5ec1361aa", "exitCode": 0, "finishedAt": "2026-05-11T11:34:15Z", "reason": "Completed", "startedAt": "2026-05-11T11:33:46Z" }, "terminationReason": "Completed" }, { "container": "step-sast-shell-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "sast-shell-check", "provenance": {}, "terminated": { "containerID": "cri-o://22d580431e02520df712e00f8c86ea8114c6ebec8aa1468deca685fa087e13f6", "exitCode": 0, "finishedAt": "2026-05-11T11:34:15Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:33:59+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:33:47Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:6504e165b4e1411ca55069091a989fd27722a64ee0e3ec9fa7be5cf31d8b595f", "name": "upload", "provenance": {}, "terminated": { "containerID": "cri-o://8c97e56c3760a3822a42a9d22ddbb00e80213409c34d155f004381084b0651d7", "exitCode": 0, "finishedAt": "2026-05-11T11:34:15Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:33:59+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:34:00Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "true", "description": "Whether to include important findings only", "name": "IMP_FINDINGS_ONLY", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Image digest to report findings for.", "name": "image-digest", "type": "string" }, { "default": "", "description": "Image URL.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:422b19ebe154c353b0114171718af5c00ba3eedf4cfb158f6b8b6c02f501ac07=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "128m", "memory": "256Mi" }, "requests": { "cpu": "128m", "memory": "256Mi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "IMP_FINDINGS_ONLY", "value": "true" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-shell-check", "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/var/workdir/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c\"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n resolved_path=$(realpath -m \"$potential_path\")\n\n # ensure resolved path is still within SOURCE_CODE_DIR\n if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n ALL_TARGETS+=(\"$resolved_path\")\n else\n echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n exit 1\n fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n read -r quota period \u003c/sys/fs/cgroup/cpu.max\n if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n export SC_JOBS=$(((quota + period - 1) / period))\n echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n --mode=json\n --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n # predefined list of shellcheck important findings\n CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n CSGREP_OPTS+=(\n --event=\"$CSGREP_EVENT_FILTER\"\n )\nelse\n CSGREP_OPTS+=(\n --event=\"error|warning\"\n )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e\"$OUTPUT_FILE\"; then\n echo \"Error occurred while running 'run-shellcheck.sh'\"\n note=\"Task sast-shell-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e\"${OUTPUT_FILE}.filtered\" 2\u003e\"${OUTPUT_FILE}.error\"\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n else\n mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003eshellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check-oci-ta-min\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8" }, { "name": "IMAGE_DIGEST", "value": "sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n echo 'No image-url or image-digest param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n # Determine the media type based on the file extension\n if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n MEDIA_TYPE=\"application/json\"\n else\n MEDIA_TYPE=\"application/sarif+json\"\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"$IMAGE_URL\" \u003e\"$HOME/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"; then\n echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n exit 1\n fi\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/4e0083838b526589303c456dd5d62ba0c526c630", "build.appstudio.redhat.com/commit_sha": "4e0083838b526589303c456dd5d62ba0c526c630", "build.appstudio.redhat.com/pull_request_number": "1", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "Merge Request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kdnfcv", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-pull-request-z74zt", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/sha-title": "Konflux update gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/source-branch": "konflux-gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/bab99032-a5c6-423f-b501-e77e798b45b7/records/612232fa-5ee5-4224-b79d-7a0d4dea726f", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"4e0083838b526589303c456dd5d62ba0c526c630\",\"eventType\":\"Merge Request\",\"pull_request-id\":1}", "results.tekton.dev/result": "build-e2e-fnyl/results/bab99032-a5c6-423f-b501-e77e798b45b7", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-179a595b9f12d2c2f5d0da65c30a57b5-3e03777c8dbc26ef-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-gl-multi-component-child-rexo" }, "creationTimestamp": "2026-05-11T11:29:00Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "build.appstudio.redhat.com/build_type": "docker", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/event-type": "Merge_Request", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-pull-request-z74zt", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-pull-request-z74zt", "tekton.dev/pipelineRunUID": "bab99032-a5c6-423f-b501-e77e798b45b7", "tekton.dev/pipelineTask": "build-container", "tekton.dev/task": "buildah-oci-ta-min", "test.appstudio.openshift.io/pr-group-sha": "d1ba98afa7dcbc964b3a645bc57114d858b7dd07a21b636e869256c5c257a2" }, "name": "gl-multi-compon92d67c6f44026f3890990cfcf3fd93be-build-container", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-pull-request-z74zt", "uid": "bab99032-a5c6-423f-b501-e77e798b45b7" } ], "resourceVersion": "67526", "uid": "612232fa-5ee5-4224-b79d-7a0d4dea726f" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630" }, { "name": "DOCKERFILE", "value": "Dockerfile" }, { "name": "CONTEXT", "value": "." }, { "name": "HERMETIC", "value": "false" }, { "name": "PREFETCH_INPUT", "value": "" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "6h" }, { "name": "COMMIT_SHA", "value": "4e0083838b526589303c456dd5d62ba0c526c630" }, { "name": "BUILD_ARGS", "value": [] }, { "name": "BUILD_ARGS_FILE", "value": "" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SOURCE_URL", "value": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "HTTP_PROXY", "value": "" }, { "name": "NO_PROXY", "value": "" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:0bc701c77506c841a578551addc95b798cfdd98f949c79b38864032f321990fb" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "buildah-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min:0.9@sha256:97c0d0ac1d508a70f8610c7dc79de453a990414fba7d7e0f8d21ec22f5796d96" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:32:21Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:32:21Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-compon92d67c6f440227f1a84ae548c4502b4c6553ce942932-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "97c0d0ac1d508a70f8610c7dc79de453a990414fba7d7e0f8d21ec22f5796d96" }, "entryPoint": "buildah-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min" } }, "results": [ { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630@sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630" }, { "name": "SBOM_BLOB_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:086ca5907372eb16d3ef10bfb36d67a39d534eb16b1b119d60e5d7c96c0869a5" } ], "spanContext": { "traceparent": "00-179a595b9f12d2c2f5d0da65c30a57b5-3e03777c8dbc26ef-01" }, "startTime": "2026-05-11T11:29:00Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://6913b7dd2044cedf2060f432b65338872a8f23a5246eefbca1430a7a5526541f", "exitCode": 0, "finishedAt": "2026-05-11T11:29:09Z", "reason": "Completed", "startedAt": "2026-05-11T11:29:09Z" }, "terminationReason": "Completed" }, { "container": "step-build", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "build", "provenance": {}, "terminated": { "containerID": "cri-o://080a09032e6a7e14a8e59aa15964026a37f27380630269766fa7fc6a529bba1a", "exitCode": 0, "finishedAt": "2026-05-11T11:30:35Z", "reason": "Completed", "startedAt": "2026-05-11T11:29:10Z" }, "terminationReason": "Completed" }, { "container": "step-push", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "push", "provenance": {}, "terminated": { "containerID": "cri-o://6d214907d8c1c79ddc5478abf3ad019db17dde4a228087447918904d931db457", "exitCode": 0, "finishedAt": "2026-05-11T11:31:09Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630@sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:30:36Z" }, "terminationReason": "Completed" }, { "container": "step-sbom-syft-generate", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "sbom-syft-generate", "provenance": {}, "terminated": { "containerID": "cri-o://d637ab34ba70de57791ab96e4805de4b0962409a154907021bc8957e317e3c78", "exitCode": 0, "finishedAt": "2026-05-11T11:31:27Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630@sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:31:09Z" }, "terminationReason": "Completed" }, { "container": "step-prepare-sboms", "imageID": "quay.io/konflux-ci/mobster@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "provenance": {}, "terminated": { "containerID": "cri-o://e2858468323fa56572485d30160e2b22f1fe223276ab04c36f31aebf034bd283", "exitCode": 0, "finishedAt": "2026-05-11T11:31:51Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630@sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:31:28Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://4da7c9a88cae9f578538ee81c43feac4fbc6334f12f2e8670099939dc52fd672", "exitCode": 0, "finishedAt": "2026-05-11T11:32:21Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630@sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:086ca5907372eb16d3ef10bfb36d67a39d534eb16b1b119d60e5d7c96c0869a5\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:31:52Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "default": [], "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings", "name": "ADDITIONAL_BASE_IMAGES", "type": "array" }, { "default": "does-not-exist", "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET", "name": "ADDITIONAL_SECRET", "type": "string" }, { "default": "", "description": "Comma separated list of extra capabilities to add when running 'buildah build'", "name": "ADD_CAPABILITIES", "type": "string" }, { "default": [], "description": "Additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS", "type": "array" }, { "default": "", "description": "Path to a file with additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS_FILE", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": [], "description": "Array of --build-arg values (\"arg=value\" strings)", "name": "BUILD_ARGS", "type": "array" }, { "default": "", "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file", "name": "BUILD_ARGS_FILE", "type": "string" }, { "default": "", "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.", "name": "BUILD_TIMESTAMP", "type": "string" }, { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "", "description": "The image is built from this commit.", "name": "COMMIT_SHA", "type": "string" }, { "default": ".", "description": "Path to the directory to use as context.", "name": "CONTEXT", "type": "string" }, { "default": "true", "description": "Determines if SBOM will be contextualized.", "name": "CONTEXTUALIZE_SBOM", "type": "string" }, { "default": "./Dockerfile", "description": "Path to the Dockerfile to build.", "name": "DOCKERFILE", "type": "string" }, { "default": "etc-pki-entitlement", "description": "Name of secret which contains the entitlement certificates", "name": "ENTITLEMENT_SECRET", "type": "string" }, { "default": [], "description": "Array of --env values (\"env=value\" strings)", "name": "ENV_VARS", "type": "array" }, { "default": "false", "description": "Determines if build will be executed without network access.", "name": "HERMETIC", "type": "string" }, { "default": "", "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.", "name": "HTTP_PROXY", "type": "string" }, { "default": "true", "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection", "name": "ICM_KEEP_COMPAT_LOCATION", "type": "string" }, { "description": "Reference of the image buildah will produce.", "name": "IMAGE", "type": "string" }, { "default": "", "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.", "name": "IMAGE_EXPIRES_AFTER", "type": "string" }, { "default": "true", "description": "Determines if the image inherits the base image labels.", "name": "INHERIT_BASE_IMAGE_LABELS", "type": "string" }, { "default": [], "description": "Additional key=value labels that should be applied to the image", "name": "LABELS", "type": "array" }, { "default": "", "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.", "name": "NO_PROXY", "type": "string" }, { "default": "false", "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.", "name": "OMIT_HISTORY", "type": "string" }, { "default": "", "description": "In case it is not empty, the prefetched content should be made available to the build.", "name": "PREFETCH_INPUT", "type": "string" }, { "default": "false", "description": "Whether to enable privileged mode, should be used only with remote VMs", "name": "PRIVILEGED_NESTED", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.", "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "caching-ca-bundle", "description": "The name of the ConfigMap to read proxy CA bundle data from.", "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "false", "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.", "name": "REWRITE_TIMESTAMP", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.", "name": "SBOM_SOURCE_SCAN_ENABLED", "type": "string" }, { "default": "", "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection", "name": "SBOM_SYFT_SELECT_CATALOGERS", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.", "name": "SBOM_TYPE", "type": "string" }, { "default": "false", "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.", "name": "SKIP_INJECTIONS", "type": "string" }, { "default": "false", "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled", "name": "SKIP_SBOM_GENERATION", "type": "string" }, { "default": "true", "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages", "name": "SKIP_UNUSED_STAGES", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "", "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.", "name": "SOURCE_DATE_EPOCH", "type": "string" }, { "default": "", "description": "The image is built from this URL.", "name": "SOURCE_URL", "type": "string" }, { "default": "false", "description": "Squash all new and previous layers added as a part of this build, as per --squash", "name": "SQUASH", "type": "string" }, { "default": "overlay", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "", "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.", "name": "TARGET_STAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "default": "", "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).", "name": "WORKINGDIR_MOUNT", "type": "string" }, { "default": "fetched.repos.d", "description": "Path in source workspace where dynamically-fetched repos are present", "name": "YUM_REPOS_D_FETCHED", "type": "string" }, { "default": "repos.d", "description": "Path in the git repository in which yum repository files are stored", "name": "YUM_REPOS_D_SRC", "type": "string" }, { "default": "/etc/yum.repos.d", "description": "Target path on the container in which yum repository files should be made available", "name": "YUM_REPOS_D_TARGET", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image reference of the built image", "name": "IMAGE_REF", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "ACTIVATION_KEY", "value": "activation-key" }, { "name": "ADDITIONAL_SECRET", "value": "does-not-exist" }, { "name": "ADD_CAPABILITIES" }, { "name": "ANNOTATIONS_FILE" }, { "name": "BUILD_ARGS_FILE" }, { "name": "BUILD_TIMESTAMP" }, { "name": "CONTEXT", "value": "." }, { "name": "CONTEXTUALIZE_SBOM", "value": "true" }, { "name": "ENTITLEMENT_SECRET", "value": "etc-pki-entitlement" }, { "name": "HERMETIC", "value": "false" }, { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "6h" }, { "name": "INHERIT_BASE_IMAGE_LABELS", "value": "true" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SBOM_SKIP_VALIDATION", "value": "true" }, { "name": "SBOM_SOURCE_SCAN_ENABLED", "value": "true" }, { "name": "SBOM_SYFT_SELECT_CATALOGERS" }, { "name": "SBOM_TYPE", "value": "spdx" }, { "name": "SKIP_INJECTIONS", "value": "false" }, { "name": "SKIP_SBOM_GENERATION", "value": "false" }, { "name": "SKIP_UNUSED_STAGES", "value": "true" }, { "name": "SOURCE_CODE_DIR", "value": "source" }, { "name": "SQUASH", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "overlay" }, { "name": "TARGET_STAGE" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "WORKINGDIR_MOUNT" }, { "name": "YUM_REPOS_D_FETCHED", "value": "fetched.repos.d" }, { "name": "YUM_REPOS_D_SRC", "value": "repos.d" }, { "name": "YUM_REPOS_D_TARGET", "value": "/etc/yum.repos.d" } ], "imagePullPolicy": "IfNotPresent", "volumeMounts": [ { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:0bc701c77506c841a578551addc95b798cfdd98f949c79b38864032f321990fb=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "args": [ "--build-args", "--env", "--labels", "--annotations" ], "computeResources": { "limits": { "cpu": "500m", "memory": "1Gi" }, "requests": { "cpu": "500m", "memory": "1Gi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "COMMIT_SHA", "value": "4e0083838b526589303c456dd5d62ba0c526c630" }, { "name": "SOURCE_URL", "value": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv" }, { "name": "DOCKERFILE", "value": "Dockerfile" }, { "name": "BUILDAH_HTTP_PROXY" }, { "name": "BUILDAH_NO_PROXY" }, { "name": "ICM_KEEP_COMPAT_LOCATION", "value": "true" }, { "name": "BUILDAH_OMIT_HISTORY", "value": "false" }, { "name": "BUILDAH_SOURCE_DATE_EPOCH" }, { "name": "BUILDAH_REWRITE_TIMESTAMP", "value": "false" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "build", "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n fi\n fi\n}\n\nfunction unset_proxy {\n echo \"[$(date --utc -Ins)] Unsetting proxy\"\n unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n\"$source_dir_path\" | \"$source_dir_path/\"*)\n # path is valid, do nothing\n ;;\n*)\n echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n echo \"Source path: $source_dir_path\" \u003e\u00262\n echo \"Resolved path: $context_dir_path\" \u003e\u00262\n exit 1\n ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n # Instrumented builds (SAST) use this custom dockerfile step as their base\n dockerfile_path=\"$DOCKERFILE\"\nelse\n echo \"Cannot find Dockerfile $DOCKERFILE\"\n exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e/etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n while IFS= read -r line || [[ -n \"$line\" ]]; do\n # Skip empty lines and comments\n if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n ANNOTATIONS+=(\"--annotation\" \"$line\")\n fi\n done \u003c\"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --build-args)\n shift\n # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n build_args+=(\"$1\")\n shift\n done\n ;;\n --env)\n shift\n # Collect env entries of the form KEY=value\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n env_vars+=(\"$1\")\n shift\n done\n ;;\n --labels)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n LABELS+=(\"--label\" \"$1\")\n shift\n done\n ;;\n --annotations)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ANNOTATIONS+=(\"--annotation\" \"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e/shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--pull=never\")\n UNSHARE_ARGS+=(\"--net\")\n buildah_retries=3\n\n set_proxy\n\n for image in $BASE_IMAGES; do\n if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"; then\n echo \"Failed to pull base image ${image}\"\n exit 1\n fi\n done\n\n unset_proxy\n\n echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n BUILDAH_ARGS+=(\"--cap-add=all\")\n BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n fi\n if [ -n \"$BUILD_TIMESTAMP\" ]; then\n echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n exit 1\n fi\n # but do set it so that we get all the labels/annotations associated with it\n BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/var/workdir/cachi2/cachi2.env\" ]; then\n # Identify the current arch to filter the prefetched content\n PREFETCH_ARCH=\"$(uname -m)\"\n echo \"$PREFETCH_ARCH\" \u003e/shared/prefetch-arch\n\n echo \"Prefetched content will be made available\"\n\n cp -r \"/var/workdir/cachi2\" /tmp/\n chmod -R go+rwX /tmp/cachi2\n\n # In case RPMs were prefetched and this is a multi-arch build,\n # clean up the packages that do not match the architecture being built\n RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n echo \"Removing prefetched RPMs from non-matching architectures\"\n PREFETCH_ARCH=\"$(uname -m)\"\n for path in \"$RPM_PREFETCH_DIR\"/*; do\n if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n echo \"Removing: $path\"\n rm -rf \"$path\"\n else\n echo \"Keeping: $path\"\n fi\n done\n fi\n\n VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n sed -E -i \\\n -e 'H;1h;$!d;x' \\\n -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n @igM' \\\n \"$dockerfile_copy\"\n\n prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n mkdir -p \"$YUM_REPOS_D_FETCHED\"\n if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n fi\n fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n \"--label\" \"architecture=$(uname -m)\"\n \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n FINAL_BASE_IMAGE=$(\n # Get the base image of the final stage\n # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n # Run the find_root_stage() function on the final stage\n # If the final stage is scratch or oci-archive, return empty\n jq -r '.Stages as $all_stages |\n def find_root_stage($stage):\n if $stage.From.Stage then\n find_root_stage($all_stages[$stage.From.Stage.Index])\n else\n $stage\n end;\n\n find_root_stage(.Stages[-1]) |\n if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n empty\n else\n .BaseName\n end' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n )\n if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n set_proxy\n buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null$()\n unset_proxy\n buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n if [[ \"$label\" != \"--label\" ]]; then\n label_pairs+=(\"$label\")\n fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n echo \"\" \u003e\u003e\"$dockerfile_copy\"\n # Always write labels.json to the new standard location\n echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n # Conditionally write to the old location for backward compatibility\n if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n cp \"$containerignore\" \"$ignorefile_copy\"\n {\n echo \"\"\n echo \"!/labels.json\"\n echo \"!/content-sets.json\"\n } \u003e\u003e\"$ignorefile_copy\"\n BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n# to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n# shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n mkdir -p /shared/rhsm/etc/pki/entitlement\n mkdir -p /shared/rhsm/etc/pki/consumer\n\n VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key\n -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z\n -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n echo \"Adding activation key to the build\"\n\n if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n # user is not running registration in the Containerfile: pre-register.\n echo \"Pre-registering with subscription manager.\"\n export RETRY_MAX_TRIES=6\n if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"; then\n echo \"Subscription-manager register failed\"\n exit 1\n fi\n unset RETRY_MAX_TRIES\n trap 'subscription-manager unregister || true' EXIT\n\n # copy generated certificates to /shared volume\n cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e/dev/null; then\n cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n exit 1\n fi\n # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n # (we set the workdir using 'unshare -w')\n context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n # Instrumented builds (SAST) use this step as their base and add some other tools.\n while read -r volume_mount; do\n VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n done \u003c\u003c\u003c\"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n while read -r filename; do\n echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n buildah build\n \"${VOLUME_MOUNTS[@]}\"\n \"${BUILDAH_ARGS[@]}\"\n \"${LABELS[@]}\"\n \"${ANNOTATIONS[@]}\"\n --tls-verify=\"$TLSVERIFY\" --no-cache\n --ulimit nofile=4096:4096\n --http-proxy=false\n -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n echo \"Making copy of sbom-prefetch.json\"\n cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n # Get the image pullspec and filter out a tag if it is not set\n # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n # if buildah did not use that particular image during build because it was skipped\n if [ -n \"$base_image_digest\" ]; then\n echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci:$IMAGE\"\necho \"/shared/$image_name.oci\" \u003e/shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/entitlement", "name": "etc-pki-entitlement" }, { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/additional-secret", "name": "additional-secret" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/proxy-ca-bundle", "name": "proxy-ca-bundle", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "TASKRUN_NAME", "value": "gl-multi-compon92d67c6f44026f3890990cfcf3fd93be-build-container" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "push", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n \"$IMAGE\" \\\n \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"; then\n echo \"Failed to push image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile \"/var/workdir/image-digest\" \"$IMAGE\" \\\n \"docker://$IMAGE\"; then\n echo \"Failed to push image to $IMAGE\"\n exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c\"/var/workdir\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n echo -n \"${IMAGE}@\"\n cat \"/var/workdir/image-digest\"\n} \u003e\"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"; then\n echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n [rekorInternalUrl]=REKOR_URL\n [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n [rekorInternalUrl]=rekorExternalUrl\n [fulcioInternalUrl]=fulcioExternalUrl\n [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n if [ -n \"${val}\" ]; then\n echo \"Using fallback ${fallback_key} instead of ${key}\"\n fi\n fi\n if [ -z \"${val}\" ]; then\n missing=\"${missing:+${missing}, }${key}\"\n else\n declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n configured=$((configured + 1))\n fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n echo \"Keyless signing is enabled\"\n\n # Save signing config for upload-sbom step\n for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n envvar=\"${SIGNING_KEY_MAP[$key]}\"\n printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n done \u003e/shared/signing-config.env\n\n echo \"Using Rekor URL: ${REKOR_URL}\"\n echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n echo \"[$(date --utc -Ins)] Sign image\"\n echo \"Signing image ${IMAGE_REF} using keyless signing\"\n if ! retry cosign sign -y \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign image\" \u003e\u00262\n exit 1\n fi\nelif [ \"${configured}\" -eq 0 ]; then\n echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "256m", "memory": "512Mi" }, "requests": { "cpu": "256m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "sbom-syft-generate", "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\ncase $SBOM_TYPE in\ncyclonedx)\n syft_sbom_type=cyclonedx-json@1.5\n ;;\nspdx)\n syft_sbom_type=spdx-json@2.3\n ;;\n*)\n echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n exit 1\n ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n oci-dir:\"${OCI_DIR}\"\n --output \"$syft_sbom_type=/var/workdir/sbom-image.json\"\n)\nsyft_source_args=(\n dir:\"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT\"\n --output \"$syft_sbom_type=/var/workdir/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n echo \"Running syft on the source code\"\n syft \"${syft_source_args[@]}\"\nelse\n echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" }, { "args": [ "--additional-base-images" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.2.0-1774868067@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --additional-base-images)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ADDITIONAL_BASE_IMAGES+=(\"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n generate\n --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-image\n --from-syft \"/var/workdir/sbom-image.json\"\n --image-pullspec \"$IMAGE_URL\"\n --image-digest \"$IMAGE_DIGEST\"\n --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/var/workdir/sbom-source.json\" ]; then\n mobster_args+=(--from-syft \"/var/workdir/sbom-source.json\")\nfi\n\nif [ -f \"/var/workdir/sbom-prefetch.json\" ]; then\n mobster_args+=(--from-hermeto \"/var/workdir/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n", "securityContext": { "runAsUser": 0 }, "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"; then\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n # shellcheck source=/dev/null\n source /shared/signing-config.env\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n # spdx export data as rawstring, we want structured json as cyclonedx\n ATT_SBOM_TYPE=\"spdxjson\"\n fi\n\n echo \"[$(date --utc -Ins)] Sign SBOM\"\n echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign SBOM\" \u003e\u00262\n exit 1\n fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "name": "additional-secret", "secret": { "optional": true, "secretName": "does-not-exist" } }, { "name": "etc-pki-entitlement", "secret": { "optional": true, "secretName": "etc-pki-entitlement" } }, { "name": "oidc-token", "projected": { "sources": [ { "serviceAccountToken": { "audience": "sigstore", "expirationSeconds": 600, "path": "oidc-token" } } ] } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "caching-ca-bundle", "optional": true }, "name": "proxy-ca-bundle" }, { "emptyDir": {}, "name": "shared" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "varlibcontainers" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/4e0083838b526589303c456dd5d62ba0c526c630", "build.appstudio.redhat.com/commit_sha": "4e0083838b526589303c456dd5d62ba0c526c630", "build.appstudio.redhat.com/pull_request_number": "1", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "Merge Request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kdnfcv", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-pull-request-z74zt", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/sha-title": "Konflux update gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/source-branch": "konflux-gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/bab99032-a5c6-423f-b501-e77e798b45b7/records/d42fab19-55d6-43ae-9ff7-e8c892dddcca", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"4e0083838b526589303c456dd5d62ba0c526c630\",\"eventType\":\"Merge Request\",\"pull_request-id\":1}", "results.tekton.dev/result": "build-e2e-fnyl/results/bab99032-a5c6-423f-b501-e77e798b45b7", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "virus, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-179a595b9f12d2c2f5d0da65c30a57b5-f051d8073a011b0d-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-gl-multi-component-child-rexo" }, "creationTimestamp": "2026-05-11T11:33:52Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/event-type": "Merge_Request", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-pull-request-z74zt", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-pull-request-z74zt", "tekton.dev/pipelineRunUID": "bab99032-a5c6-423f-b501-e77e798b45b7", "tekton.dev/pipelineTask": "clamav-scan", "tekton.dev/task": "clamav-scan-min", "test.appstudio.openshift.io/pr-group-sha": "d1ba98afa7dcbc964b3a645bc57114d858b7dd07a21b636e869256c5c257a2" }, "name": "gl-multi-component-child-rexo-on-pull-request-z74zt-clamav-scan", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-pull-request-z74zt", "uid": "bab99032-a5c6-423f-b501-e77e798b45b7" } ], "resourceVersion": "72853", "uid": "d42fab19-55d6-43ae-9ff7-e8c892dddcca" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "clamav-scan-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min:0.3@sha256:589e34f73d310aa993c9761d8b78265a904a121028bda2809d8a2d0500454bd8" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:35:06Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:35:06Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-child-rea9ec2612d4355e6ba9e7758bf79bfc5b-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "589e34f73d310aa993c9761d8b78265a904a121028bda2809d8a2d0500454bd8" }, "entryPoint": "clamav-scan-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630\", \"digests\": [\"sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"timestamp\":\"1778499303\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n" } ], "spanContext": { "traceparent": "00-179a595b9f12d2c2f5d0da65c30a57b5-f051d8073a011b0d-01" }, "startTime": "2026-05-11T11:33:52Z", "steps": [ { "container": "step-extract-and-scan-image", "imageID": "quay.io/konflux-ci/clamav-db@sha256:83085885f6c81f58dc642c8be1e2a8a3c46410ff0b084005a13b20078485405d", "name": "extract-and-scan-image", "provenance": {}, "terminated": { "containerID": "cri-o://e66a1a9058f64498c2a4226d7dce7316856d7c74b40ef58f2f4af24a9f04c386", "exitCode": 0, "finishedAt": "2026-05-11T11:35:03Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630\\\", \\\"digests\\\": [\\\"sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1778499303\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:34:08Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "upload", "provenance": {}, "terminated": { "containerID": "cri-o://336c839b5ffffb6a745c69c7f611c6149ace20d0ad91f33282552aebfc1d4887", "exitCode": 0, "finishedAt": "2026-05-11T11:35:05Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630\\\", \\\"digests\\\": [\\\"sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1778499303\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:35:03Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "Image arch.", "name": "image-arch", "type": "string" }, { "default": "", "description": "unused", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "8", "description": "Maximum number of threads clamd runs.", "name": "clamd-max-threads", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-upload", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "512m", "memory": "3Gi" }, "requests": { "cpu": "512m", "memory": "3Gi" } }, "env": [ { "name": "HOME", "value": "/work" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630" }, { "name": "IMAGE_DIGEST", "value": "sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a" }, { "name": "IMAGE_ARCH" }, { "name": "MAX_THREADS", "value": "8" } ], "image": "quay.io/konflux-ci/clamav-db:latest", "name": "extract-and-scan-image", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n mkdir -p ~/.docker\n echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n# $1: destination - path to the content to scan\n# $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n# $3: digest - digest to add to digests_processed array\n# $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n local destination=\"$1\"\n local suffix=\"$2\"\n local digest=\"$3\"\n local scan_message=\"${4:-Scanning content}\"\n\n db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n echo \"$scan_message. This operation may take a while.\"\n clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n digests_processed+=(\"\\\"$digest\\\"\")\n\n if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n # OPA/EC requires structured data input, add clamAV log into json\n jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o json \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o appstudio \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n\n if [ -n \"$raw_manifest\" ]; then\n media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n # Determine if this is an OCI artifact (not a container image)\n # OCI artifacts typically have:\n # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n # - An explicit artifactType field that is not a container image type\n is_oci_artifact=false\n\n # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n is_oci_artifact=true\n fi\n\n # Check if artifactType is set and is not a container image type\n if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n is_oci_artifact=true\n fi\n\n if [ \"$is_oci_artifact\" = true ]; then\n # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n # This looks like a container image manifest, but get_image_manifests failed\n echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n note=\"Task clamav-scan-min failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n else\n # Likely an OCI artifact with non-standard media type\n echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n fi\n else\n echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n note=\"Task clamav-scan-min failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n echo \"Detected container image. Processing image manifests.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n # Proceed only if a specific arch is provided.\n # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n if [ -n \"$IMAGE_ARCH\" ]; then\n arch=\"${IMAGE_ARCH#*/}\"\n if [ \"${arch}\" = \"x86_64\" ]; then\n arch=\"amd64\"\n fi\n\n # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n arch=\"amd64\"\n ;;\n esac\n\n image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n fi\n\n while read -r arch arch_sha; do\n destination=$(echo content-$arch)\n mkdir -p \"$destination\"\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n if [ $? -ne 0 ]; then\n echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n exit 0\n fi\n\n # Scan and process container image for this architecture\n scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n {\n \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n \"namespace\" : $item.namespace,\n \"successes\" : (.successes + $item.successes),\n \"failures\" : (.failures + $item.failures),\n \"warnings\" : (.warnings + $item.warnings),\n \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_UPLOAD", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630" }, { "name": "IMAGE_DIGEST", "value": "sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n echo \"Upload skipped by parameter.\"\n exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n MEDIA_TYPE=text/vnd.clamav\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n MEDIA_TYPE=application/vnd.konflux.test_output+json\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n echo \"No files found. Skipping upload.\"\n exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n", "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" } ], "volumes": [ { "emptyDir": {}, "name": "dbfolder" }, { "emptyDir": {}, "name": "work" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/4e0083838b526589303c456dd5d62ba0c526c630", "build.appstudio.redhat.com/commit_sha": "4e0083838b526589303c456dd5d62ba0c526c630", "build.appstudio.redhat.com/pull_request_number": "1", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "Merge Request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kdnfcv", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-pull-request-z74zt", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/sha-title": "Konflux update gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/source-branch": "konflux-gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/bab99032-a5c6-423f-b501-e77e798b45b7/records/498219c7-4217-4aff-9b7d-d314df6ae0d1", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"4e0083838b526589303c456dd5d62ba0c526c630\",\"eventType\":\"Merge Request\",\"pull_request-id\":1}", "results.tekton.dev/result": "build-e2e-fnyl/results/bab99032-a5c6-423f-b501-e77e798b45b7", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-179a595b9f12d2c2f5d0da65c30a57b5-2ff361fdb73ea620-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-gl-multi-component-child-rexo" }, "creationTimestamp": "2026-05-11T11:27:44Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/event-type": "Merge_Request", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-pull-request-z74zt", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-pull-request-z74zt", "tekton.dev/pipelineRunUID": "bab99032-a5c6-423f-b501-e77e798b45b7", "tekton.dev/pipelineTask": "init", "tekton.dev/task": "init", "test.appstudio.openshift.io/pr-group-sha": "d1ba98afa7dcbc964b3a645bc57114d858b7dd07a21b636e869256c5c257a2" }, "name": "gl-multi-component-child-rexo-on-pull-request-z74zt-init", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-pull-request-z74zt", "uid": "bab99032-a5c6-423f-b501-e77e798b45b7" } ], "resourceVersion": "59604", "uid": "498219c7-4217-4aff-9b7d-d314df6ae0d1" }, "spec": { "params": [ { "name": "enable-cache-proxy", "value": "false" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "init" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:28:06Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:28:06Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-child-rexo-on-pull-request-z74zt-init-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08" }, "entryPoint": "init", "uri": "quay.io/konflux-ci/tekton-catalog/task-init" } }, "results": [ { "name": "http-proxy", "type": "string", "value": "" }, { "name": "no-proxy", "type": "string", "value": "" } ], "spanContext": { "traceparent": "00-179a595b9f12d2c2f5d0da65c30a57b5-2ff361fdb73ea620-01" }, "startTime": "2026-05-11T11:27:44Z", "steps": [ { "container": "step-init", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "init", "provenance": {}, "terminated": { "containerID": "cri-o://5c22af58204f38be16dfd92fe34101bc8bc7286170d4db36a6491c3dcb2b6499", "exitCode": 0, "finishedAt": "2026-05-11T11:28:06Z", "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:06Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.", "params": [ { "default": "false", "description": "Enable cache proxy configuration", "name": "enable-cache-proxy", "type": "string" } ], "results": [ { "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)", "name": "http-proxy", "type": "string" }, { "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)", "name": "no-proxy", "type": "string" } ], "steps": [ { "args": [ "--enable", "false" ], "command": [ "konflux-build-cli", "config", "cache-proxy" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" }, { "name": "DEFAULT_HTTP_PROXY", "value": "squid.caching.svc.cluster.local:3128" }, { "name": "DEFAULT_NO_PROXY", "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai" }, { "name": "HTTP_PROXY_RESULTS_PATH", "value": "/tekton/results/http-proxy" }, { "name": "NO_PROXY_RESULTS_PATH", "value": "/tekton/results/no-proxy" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "init" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/4e0083838b526589303c456dd5d62ba0c526c630", "build.appstudio.redhat.com/commit_sha": "4e0083838b526589303c456dd5d62ba0c526c630", "build.appstudio.redhat.com/pull_request_number": "1", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "Merge Request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kdnfcv", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-pull-request-z74zt", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/sha-title": "Konflux update gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/source-branch": "konflux-gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/bab99032-a5c6-423f-b501-e77e798b45b7/records/37e124f9-330d-496f-a924-76eecfdafbf3", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"4e0083838b526589303c456dd5d62ba0c526c630\",\"eventType\":\"Merge Request\",\"pull_request-id\":1}", "results.tekton.dev/result": "build-e2e-fnyl/results/bab99032-a5c6-423f-b501-e77e798b45b7", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-179a595b9f12d2c2f5d0da65c30a57b5-7de0e0939deff5a3-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-gl-multi-component-child-rexo" }, "creationTimestamp": "2026-05-11T11:33:52Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/event-type": "Merge_Request", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "4e0083838b526589303c456dd5d62ba0c526c630", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-pull-request-z74zt", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-pull-request-z74zt", "tekton.dev/pipelineRunUID": "bab99032-a5c6-423f-b501-e77e798b45b7", "tekton.dev/pipelineTask": "tpa-scan", "tekton.dev/task": "tpa-scan", "test.appstudio.openshift.io/pr-group-sha": "d1ba98afa7dcbc964b3a645bc57114d858b7dd07a21b636e869256c5c257a2" }, "name": "gl-multi-component-child-rexo-on-pull-request-z74zt-tpa-scan", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-pull-request-z74zt", "uid": "bab99032-a5c6-423f-b501-e77e798b45b7" } ], "resourceVersion": "71107", "uid": "37e124f9-330d-496f-a924-76eecfdafbf3" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "tpa-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan:0.1@sha256:68b6e188f742da92af9c40a794fd021a65d49b419d1e36096277b2d9ebbe1afc" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:34:19Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:34:19Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-child-rebb3be6f6c3ea67c7c747d138dd3f4d0e-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "68b6e188f742da92af9c40a794fd021a65d49b419d1e36096277b2d9ebbe1afc" }, "entryPoint": "tpa-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630\", \"digests\": [\"sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\"]}}\n" }, { "name": "REPORTS", "type": "string", "value": "{\"sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\":\"sha256:cf9960b25f74f81f585439e20e455b6ba5db37631a629b30b34e9670782fb3b4\"}\n" }, { "name": "SCAN_OUTPUT", "type": "string", "value": "{\"vulnerabilities\":{\"critical\":6,\"high\":46,\"medium\":104,\"low\":14,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:34:18+00:00\",\"note\":\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-179a595b9f12d2c2f5d0da65c30a57b5-7de0e0939deff5a3-01" }, "startTime": "2026-05-11T11:33:53Z", "steps": [ { "container": "step-get-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "get-vulnerabilities", "provenance": {}, "terminated": { "containerID": "cri-o://952e34f20fdc60042c15664d07cc03fb8176f88326892983527fc98c5b38a6f5", "exitCode": 0, "finishedAt": "2026-05-11T11:34:11Z", "reason": "Completed", "startedAt": "2026-05-11T11:34:09Z" }, "terminationReason": "Completed" }, { "container": "step-oci-attach-report", "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "provenance": {}, "terminated": { "containerID": "cri-o://d3b3ea61eb2629ac80da4f877e17623bc8ced04d5d25339478a84bea9fbdf86b", "exitCode": 0, "finishedAt": "2026-05-11T11:34:14Z", "reason": "Completed", "startedAt": "2026-05-11T11:34:12Z" }, "terminationReason": "Completed" }, { "container": "step-conftest-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "conftest-vulnerabilities", "provenance": {}, "terminated": { "containerID": "cri-o://0454a9db7f58ed1587994bab9a0e8c774628c5d52bed862ce7acdc1c307c4309", "exitCode": 0, "finishedAt": "2026-05-11T11:34:18Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630\\\", \\\"digests\\\": [\\\"sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a\\\":\\\"sha256:cf9960b25f74f81f585439e20e455b6ba5db37631a629b30b34e9670782fb3b4\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":6,\\\"high\\\":46,\\\"medium\\\":104,\\\"low\\\":14,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:34:18+00:00\\\",\\\"note\\\":\\\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:34:14Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans container images for vulnerabilities using the TPA vulnerability scanner, by comparing the components of container image against the vulnerability databases.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "The platform which will be scanned by this task.", "name": "image-platform", "type": "string" }, { "default": "https://exhort.stage.devshift.net/api/v5/analysis", "description": "The url of the TPA instance which will be used for scanning.", "name": "tpa-url", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-oci-attach-report", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "TPA scan result.", "name": "SCAN_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" }, { "description": "Mapping of image digests to report digests", "name": "REPORTS", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "computeResources": { "limits": { "cpu": "800m", "memory": "2Gi" }, "requests": { "cpu": "800m", "memory": "2Gi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630" }, { "name": "IMAGE_DIGEST", "value": "sha256:34d3b8d08191523c6dfe5568894d843726a589a42323f4485d26527bcebc8d4a" }, { "name": "IMAGE_PLATFORM" }, { "name": "TPA_URL", "value": "https://exhort.stage.devshift.net/api/v5/analysis" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "imagePullPolicy": "Always", "name": "get-vulnerabilities", "script": "#!/usr/bin/env bash\n\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\necho \"Inspecting raw image manifest $imageanddigest.\"\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\necho \"Selecting auth\"\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${imageanddigest}\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n done\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task tpa-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n\ntpa_scan() {\n local sbom_file=${1}\n local arch=${2}\n local sbom_format\n\n sbom_format=$(jq -r 'if .bomFormat == \"CycloneDX\" then \"cyclonedx\" else \"spdx\" end' \u003c \"${sbom_file}\")\n retry curl -f --show-error -L -X POST -T \"${sbom_file}\" -H \"Content-Type:application/vnd.${sbom_format}+json\" \"${TPA_URL}\" | tee \"tpa-report-${arch}.json\";\n}\n\nrun_tpa_on_arch() {\n local arch=\"$1\"\n local sha_file=\"image-manifest-${arch}.sha\"\n local sbom_file_path=\"/tmp/sbom-${arch}.json\"\n local arch_sha=\"\"\n\n if [ -e \"${sha_file}\" ]; then\n arch_sha=$(\u003c\"${sha_file}\")\n arch_imageanddigest=$(echo -n \"${imagewithouttag}@${arch_sha}\")\n else\n echo \"Couldn't find the SHA file for the requested architecture.\"\n exit 1\n fi\n\n echo \"Selecting auth\"\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${arch_imageanddigest}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n # Attempt to download the SBOM file via cosign\n\n if ! retry cosign download sbom \"${arch_imageanddigest}\" \u003e \"${sbom_file_path}\"; then\n echo \"Unable to download SBOM for the architecture ${arch}.\"\n exit 1\n fi\n\n if [ -e \"${sbom_file_path}\" ]; then\n local arch_sha\n arch_sha=$(\u003c\"$sha_file\")\n\n echo \"Running TPA scan on $arch image manifest...\"\n tpa_scan \"${sbom_file_path}\" \"$arch\" || true\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n else\n echo \"Couldn't find the SBOM file for the requested ${arch} architecture.\"\n exit 1\n fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run the tpa scan on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n # Validate against supported arch list. If it's not a known arch, fallback to amd64\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 1\n ;;\n esac\n\n run_tpa_on_arch \"$arch\"\n\n# If no platform is specified, run TPA scan on all available image manifests\nelse\n for sha_file in image-manifest-*.sha; do\n if [ -e \"$sha_file\" ]; then\n arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n run_tpa_on_arch \"$arch\"\n fi\n done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_OCI_ATTACH_REPORT", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:on-pr-4e0083838b526589303c456dd5d62ba0c526c630" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n echo 'OCI attach report skipped by parameter.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nif ! compgen -G \"tpa-report-*.json\" \u003e /dev/null; then\n echo 'No TPA reports generated. Skipping upload.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n report_file=\"$1\"\n arch=\"${report_file/*-}\"\n echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.tpa-report+json'\n\nreports_json=\"{}\"\nfor f in tpa-report-*.json; do\n digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n image_ref=\"${repository}@${digest}\"\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${image_ref}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n echo \"Attaching $f to ${image_ref}\"\n if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n \"/tmp/auth/config.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n then\n echo \"Failed to attach ${f} to ${image_ref}\"\n exit 1\n fi\n # shellcheck disable=SC2016\n reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/redhat-user-workloads/rhtap-integration-tenant/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "conftest-vulnerabilities", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\ntpa_result_files=$(ls /tekton/home/tpa-report-*.json 2\u003e/dev/null || true)\nif [ -z \"$tpa_result_files\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: No tpa-report files found in /tekton/home.\"\n exit 1\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $tpa_result_files; do\n file_suffix=$(basename \"$file\" | sed 's/tpa-report-//;s/.json//')\n if [ ! -s \"$file\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n else\n /usr/bin/conftest test --no-fail $file \\\n --policy /project/rhtpa/vulnerabilities-check.rego --namespace required_checks \\\n --output=json | tee /tekton/home/tpa-vulnerabilities-\"${file_suffix}\".json || true\n fi\n\n #check for missing \"tpa-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n if [ ! -f \"/tekton/home/tpa-vulnerabilities-$file_suffix.json\" ]; then\n missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/tpa-vulnerabilities-$file_suffix.json\"\n fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n note=\"Task tpa-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/tpa-vulnerabilities-*.json; do\n result=$(jq -rce \\\n '{\n vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n },\n unpatched_vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n }\n }' \"$file\")\n\n scan_result=$(jq -s -rce \\\n '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/994d9d99adcc535f4413cd0ee7842e23026140c8", "build.appstudio.redhat.com/commit_sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tkaets", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-push-7lsj7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-child-rexo' into 'multi-component-child-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-child-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/f4dc841d-3db4-469a-861d-7027efc5d0d0/records/b7f6e7b6-65fd-458c-b3df-06888bdc7ba9", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"994d9d99adcc535f4413cd0ee7842e23026140c8\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/f4dc841d-3db4-469a-861d-7027efc5d0d0", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-47663917638f344eb09c5f89895d3ab6-712bd67f460b8fa7-01\"}" }, "creationTimestamp": "2026-05-11T11:37:35Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "build.appstudio.redhat.com/build_type": "docker", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-push-7lsj7", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-push-7lsj7", "tekton.dev/pipelineRunUID": "f4dc841d-3db4-469a-861d-7027efc5d0d0", "tekton.dev/pipelineTask": "build-container", "tekton.dev/task": "buildah-oci-ta-min" }, "name": "gl-multi-component-child-rexo-on-push-7lsj7-build-container", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-push-7lsj7", "uid": "f4dc841d-3db4-469a-861d-7027efc5d0d0" } ], "resourceVersion": "82057", "uid": "b7f6e7b6-65fd-458c-b3df-06888bdc7ba9" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8" }, { "name": "DOCKERFILE", "value": "Dockerfile" }, { "name": "CONTEXT", "value": "." }, { "name": "HERMETIC", "value": "false" }, { "name": "PREFETCH_INPUT", "value": "" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "" }, { "name": "COMMIT_SHA", "value": "994d9d99adcc535f4413cd0ee7842e23026140c8" }, { "name": "BUILD_ARGS", "value": [] }, { "name": "BUILD_ARGS_FILE", "value": "" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SOURCE_URL", "value": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "HTTP_PROXY", "value": "" }, { "name": "NO_PROXY", "value": "" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:9942ac142fa6b260bec2a46ada7502b5aa9d8cf8535c15422c3056ba221d19d6" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "buildah-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min:0.9@sha256:97c0d0ac1d508a70f8610c7dc79de453a990414fba7d7e0f8d21ec22f5796d96" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:39:34Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:39:34Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-child-rexo-on-push-7lsj7-build-container-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "97c0d0ac1d508a70f8610c7dc79de453a990414fba7d7e0f8d21ec22f5796d96" }, "entryPoint": "buildah-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min" } }, "results": [ { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8@sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8" }, { "name": "SBOM_BLOB_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:49627d7a1ee3c9846786c40f569cdf5342af091f310badcc2ce341f64e38f10a" } ], "spanContext": { "traceparent": "00-47663917638f344eb09c5f89895d3ab6-712bd67f460b8fa7-01" }, "startTime": "2026-05-11T11:37:36Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://506ab67f2585437a36aebd6bc11471c44c338357b954a111ab8f385acb0a6ac3", "exitCode": 0, "finishedAt": "2026-05-11T11:37:40Z", "reason": "Completed", "startedAt": "2026-05-11T11:37:40Z" }, "terminationReason": "Completed" }, { "container": "step-build", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "build", "provenance": {}, "terminated": { "containerID": "cri-o://ad0052768544a3b9446c83abe96875023eda0e390b12ad56ef17f0353ebaacea", "exitCode": 0, "finishedAt": "2026-05-11T11:37:54Z", "reason": "Completed", "startedAt": "2026-05-11T11:37:41Z" }, "terminationReason": "Completed" }, { "container": "step-push", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "push", "provenance": {}, "terminated": { "containerID": "cri-o://50ea64f80de62833f8bdf18f72de85a9494de346efb6b5f30bb702c205ca3ff6", "exitCode": 0, "finishedAt": "2026-05-11T11:38:26Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8@sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:37:55Z" }, "terminationReason": "Completed" }, { "container": "step-sbom-syft-generate", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "sbom-syft-generate", "provenance": {}, "terminated": { "containerID": "cri-o://f3888570ba8ea60440c30fb48f9535fcf75168b15fbc1e66bdf2169d49907e8a", "exitCode": 0, "finishedAt": "2026-05-11T11:38:43Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8@sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:26Z" }, "terminationReason": "Completed" }, { "container": "step-prepare-sboms", "imageID": "quay.io/konflux-ci/mobster@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "provenance": {}, "terminated": { "containerID": "cri-o://a12fa02923b2ed8a3e1e2912a8ad7e41cae94b1e434367cc2340f0f0e1c6160a", "exitCode": 0, "finishedAt": "2026-05-11T11:39:07Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8@sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:43Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://c6ca4365490c9842b243bb1efcf5f9787ab1d40314eec2d3aabfa12be261977f", "exitCode": 0, "finishedAt": "2026-05-11T11:39:33Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8@sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:49627d7a1ee3c9846786c40f569cdf5342af091f310badcc2ce341f64e38f10a\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:39:07Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "default": [], "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings", "name": "ADDITIONAL_BASE_IMAGES", "type": "array" }, { "default": "does-not-exist", "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET", "name": "ADDITIONAL_SECRET", "type": "string" }, { "default": "", "description": "Comma separated list of extra capabilities to add when running 'buildah build'", "name": "ADD_CAPABILITIES", "type": "string" }, { "default": [], "description": "Additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS", "type": "array" }, { "default": "", "description": "Path to a file with additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS_FILE", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": [], "description": "Array of --build-arg values (\"arg=value\" strings)", "name": "BUILD_ARGS", "type": "array" }, { "default": "", "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file", "name": "BUILD_ARGS_FILE", "type": "string" }, { "default": "", "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.", "name": "BUILD_TIMESTAMP", "type": "string" }, { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "", "description": "The image is built from this commit.", "name": "COMMIT_SHA", "type": "string" }, { "default": ".", "description": "Path to the directory to use as context.", "name": "CONTEXT", "type": "string" }, { "default": "true", "description": "Determines if SBOM will be contextualized.", "name": "CONTEXTUALIZE_SBOM", "type": "string" }, { "default": "./Dockerfile", "description": "Path to the Dockerfile to build.", "name": "DOCKERFILE", "type": "string" }, { "default": "etc-pki-entitlement", "description": "Name of secret which contains the entitlement certificates", "name": "ENTITLEMENT_SECRET", "type": "string" }, { "default": [], "description": "Array of --env values (\"env=value\" strings)", "name": "ENV_VARS", "type": "array" }, { "default": "false", "description": "Determines if build will be executed without network access.", "name": "HERMETIC", "type": "string" }, { "default": "", "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.", "name": "HTTP_PROXY", "type": "string" }, { "default": "true", "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection", "name": "ICM_KEEP_COMPAT_LOCATION", "type": "string" }, { "description": "Reference of the image buildah will produce.", "name": "IMAGE", "type": "string" }, { "default": "", "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.", "name": "IMAGE_EXPIRES_AFTER", "type": "string" }, { "default": "true", "description": "Determines if the image inherits the base image labels.", "name": "INHERIT_BASE_IMAGE_LABELS", "type": "string" }, { "default": [], "description": "Additional key=value labels that should be applied to the image", "name": "LABELS", "type": "array" }, { "default": "", "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.", "name": "NO_PROXY", "type": "string" }, { "default": "false", "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.", "name": "OMIT_HISTORY", "type": "string" }, { "default": "", "description": "In case it is not empty, the prefetched content should be made available to the build.", "name": "PREFETCH_INPUT", "type": "string" }, { "default": "false", "description": "Whether to enable privileged mode, should be used only with remote VMs", "name": "PRIVILEGED_NESTED", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.", "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "caching-ca-bundle", "description": "The name of the ConfigMap to read proxy CA bundle data from.", "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "false", "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.", "name": "REWRITE_TIMESTAMP", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.", "name": "SBOM_SOURCE_SCAN_ENABLED", "type": "string" }, { "default": "", "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection", "name": "SBOM_SYFT_SELECT_CATALOGERS", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.", "name": "SBOM_TYPE", "type": "string" }, { "default": "false", "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.", "name": "SKIP_INJECTIONS", "type": "string" }, { "default": "false", "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled", "name": "SKIP_SBOM_GENERATION", "type": "string" }, { "default": "true", "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages", "name": "SKIP_UNUSED_STAGES", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "", "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.", "name": "SOURCE_DATE_EPOCH", "type": "string" }, { "default": "", "description": "The image is built from this URL.", "name": "SOURCE_URL", "type": "string" }, { "default": "false", "description": "Squash all new and previous layers added as a part of this build, as per --squash", "name": "SQUASH", "type": "string" }, { "default": "overlay", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "", "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.", "name": "TARGET_STAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "default": "", "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).", "name": "WORKINGDIR_MOUNT", "type": "string" }, { "default": "fetched.repos.d", "description": "Path in source workspace where dynamically-fetched repos are present", "name": "YUM_REPOS_D_FETCHED", "type": "string" }, { "default": "repos.d", "description": "Path in the git repository in which yum repository files are stored", "name": "YUM_REPOS_D_SRC", "type": "string" }, { "default": "/etc/yum.repos.d", "description": "Target path on the container in which yum repository files should be made available", "name": "YUM_REPOS_D_TARGET", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image reference of the built image", "name": "IMAGE_REF", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "ACTIVATION_KEY", "value": "activation-key" }, { "name": "ADDITIONAL_SECRET", "value": "does-not-exist" }, { "name": "ADD_CAPABILITIES" }, { "name": "ANNOTATIONS_FILE" }, { "name": "BUILD_ARGS_FILE" }, { "name": "BUILD_TIMESTAMP" }, { "name": "CONTEXT", "value": "." }, { "name": "CONTEXTUALIZE_SBOM", "value": "true" }, { "name": "ENTITLEMENT_SECRET", "value": "etc-pki-entitlement" }, { "name": "HERMETIC", "value": "false" }, { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8" }, { "name": "IMAGE_EXPIRES_AFTER" }, { "name": "INHERIT_BASE_IMAGE_LABELS", "value": "true" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SBOM_SKIP_VALIDATION", "value": "true" }, { "name": "SBOM_SOURCE_SCAN_ENABLED", "value": "true" }, { "name": "SBOM_SYFT_SELECT_CATALOGERS" }, { "name": "SBOM_TYPE", "value": "spdx" }, { "name": "SKIP_INJECTIONS", "value": "false" }, { "name": "SKIP_SBOM_GENERATION", "value": "false" }, { "name": "SKIP_UNUSED_STAGES", "value": "true" }, { "name": "SOURCE_CODE_DIR", "value": "source" }, { "name": "SQUASH", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "overlay" }, { "name": "TARGET_STAGE" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "WORKINGDIR_MOUNT" }, { "name": "YUM_REPOS_D_FETCHED", "value": "fetched.repos.d" }, { "name": "YUM_REPOS_D_SRC", "value": "repos.d" }, { "name": "YUM_REPOS_D_TARGET", "value": "/etc/yum.repos.d" } ], "imagePullPolicy": "IfNotPresent", "volumeMounts": [ { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:9942ac142fa6b260bec2a46ada7502b5aa9d8cf8535c15422c3056ba221d19d6=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "args": [ "--build-args", "--env", "--labels", "--annotations" ], "computeResources": { "limits": { "cpu": "500m", "memory": "1Gi" }, "requests": { "cpu": "500m", "memory": "1Gi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "COMMIT_SHA", "value": "994d9d99adcc535f4413cd0ee7842e23026140c8" }, { "name": "SOURCE_URL", "value": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv" }, { "name": "DOCKERFILE", "value": "Dockerfile" }, { "name": "BUILDAH_HTTP_PROXY" }, { "name": "BUILDAH_NO_PROXY" }, { "name": "ICM_KEEP_COMPAT_LOCATION", "value": "true" }, { "name": "BUILDAH_OMIT_HISTORY", "value": "false" }, { "name": "BUILDAH_SOURCE_DATE_EPOCH" }, { "name": "BUILDAH_REWRITE_TIMESTAMP", "value": "false" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "build", "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n fi\n fi\n}\n\nfunction unset_proxy {\n echo \"[$(date --utc -Ins)] Unsetting proxy\"\n unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n\"$source_dir_path\" | \"$source_dir_path/\"*)\n # path is valid, do nothing\n ;;\n*)\n echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n echo \"Source path: $source_dir_path\" \u003e\u00262\n echo \"Resolved path: $context_dir_path\" \u003e\u00262\n exit 1\n ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n # Instrumented builds (SAST) use this custom dockerfile step as their base\n dockerfile_path=\"$DOCKERFILE\"\nelse\n echo \"Cannot find Dockerfile $DOCKERFILE\"\n exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e/etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n while IFS= read -r line || [[ -n \"$line\" ]]; do\n # Skip empty lines and comments\n if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n ANNOTATIONS+=(\"--annotation\" \"$line\")\n fi\n done \u003c\"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --build-args)\n shift\n # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n build_args+=(\"$1\")\n shift\n done\n ;;\n --env)\n shift\n # Collect env entries of the form KEY=value\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n env_vars+=(\"$1\")\n shift\n done\n ;;\n --labels)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n LABELS+=(\"--label\" \"$1\")\n shift\n done\n ;;\n --annotations)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ANNOTATIONS+=(\"--annotation\" \"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e/shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--pull=never\")\n UNSHARE_ARGS+=(\"--net\")\n buildah_retries=3\n\n set_proxy\n\n for image in $BASE_IMAGES; do\n if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"; then\n echo \"Failed to pull base image ${image}\"\n exit 1\n fi\n done\n\n unset_proxy\n\n echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n BUILDAH_ARGS+=(\"--cap-add=all\")\n BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n fi\n if [ -n \"$BUILD_TIMESTAMP\" ]; then\n echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n exit 1\n fi\n # but do set it so that we get all the labels/annotations associated with it\n BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/var/workdir/cachi2/cachi2.env\" ]; then\n # Identify the current arch to filter the prefetched content\n PREFETCH_ARCH=\"$(uname -m)\"\n echo \"$PREFETCH_ARCH\" \u003e/shared/prefetch-arch\n\n echo \"Prefetched content will be made available\"\n\n cp -r \"/var/workdir/cachi2\" /tmp/\n chmod -R go+rwX /tmp/cachi2\n\n # In case RPMs were prefetched and this is a multi-arch build,\n # clean up the packages that do not match the architecture being built\n RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n echo \"Removing prefetched RPMs from non-matching architectures\"\n PREFETCH_ARCH=\"$(uname -m)\"\n for path in \"$RPM_PREFETCH_DIR\"/*; do\n if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n echo \"Removing: $path\"\n rm -rf \"$path\"\n else\n echo \"Keeping: $path\"\n fi\n done\n fi\n\n VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n sed -E -i \\\n -e 'H;1h;$!d;x' \\\n -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n @igM' \\\n \"$dockerfile_copy\"\n\n prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n mkdir -p \"$YUM_REPOS_D_FETCHED\"\n if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n fi\n fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n \"--label\" \"architecture=$(uname -m)\"\n \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n FINAL_BASE_IMAGE=$(\n # Get the base image of the final stage\n # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n # Run the find_root_stage() function on the final stage\n # If the final stage is scratch or oci-archive, return empty\n jq -r '.Stages as $all_stages |\n def find_root_stage($stage):\n if $stage.From.Stage then\n find_root_stage($all_stages[$stage.From.Stage.Index])\n else\n $stage\n end;\n\n find_root_stage(.Stages[-1]) |\n if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n empty\n else\n .BaseName\n end' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n )\n if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n set_proxy\n buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null$()\n unset_proxy\n buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n if [[ \"$label\" != \"--label\" ]]; then\n label_pairs+=(\"$label\")\n fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n echo \"\" \u003e\u003e\"$dockerfile_copy\"\n # Always write labels.json to the new standard location\n echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n # Conditionally write to the old location for backward compatibility\n if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n cp \"$containerignore\" \"$ignorefile_copy\"\n {\n echo \"\"\n echo \"!/labels.json\"\n echo \"!/content-sets.json\"\n } \u003e\u003e\"$ignorefile_copy\"\n BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n# to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n# shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n mkdir -p /shared/rhsm/etc/pki/entitlement\n mkdir -p /shared/rhsm/etc/pki/consumer\n\n VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key\n -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z\n -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n echo \"Adding activation key to the build\"\n\n if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n # user is not running registration in the Containerfile: pre-register.\n echo \"Pre-registering with subscription manager.\"\n export RETRY_MAX_TRIES=6\n if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"; then\n echo \"Subscription-manager register failed\"\n exit 1\n fi\n unset RETRY_MAX_TRIES\n trap 'subscription-manager unregister || true' EXIT\n\n # copy generated certificates to /shared volume\n cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e/dev/null; then\n cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n exit 1\n fi\n # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n # (we set the workdir using 'unshare -w')\n context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n # Instrumented builds (SAST) use this step as their base and add some other tools.\n while read -r volume_mount; do\n VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n done \u003c\u003c\u003c\"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n while read -r filename; do\n echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n buildah build\n \"${VOLUME_MOUNTS[@]}\"\n \"${BUILDAH_ARGS[@]}\"\n \"${LABELS[@]}\"\n \"${ANNOTATIONS[@]}\"\n --tls-verify=\"$TLSVERIFY\" --no-cache\n --ulimit nofile=4096:4096\n --http-proxy=false\n -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n echo \"Making copy of sbom-prefetch.json\"\n cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n # Get the image pullspec and filter out a tag if it is not set\n # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n # if buildah did not use that particular image during build because it was skipped\n if [ -n \"$base_image_digest\" ]; then\n echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci:$IMAGE\"\necho \"/shared/$image_name.oci\" \u003e/shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/entitlement", "name": "etc-pki-entitlement" }, { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/additional-secret", "name": "additional-secret" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/proxy-ca-bundle", "name": "proxy-ca-bundle", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "TASKRUN_NAME", "value": "gl-multi-component-child-rexo-on-push-7lsj7-build-container" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "push", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n \"$IMAGE\" \\\n \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"; then\n echo \"Failed to push image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile \"/var/workdir/image-digest\" \"$IMAGE\" \\\n \"docker://$IMAGE\"; then\n echo \"Failed to push image to $IMAGE\"\n exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c\"/var/workdir\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n echo -n \"${IMAGE}@\"\n cat \"/var/workdir/image-digest\"\n} \u003e\"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"; then\n echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n [rekorInternalUrl]=REKOR_URL\n [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n [rekorInternalUrl]=rekorExternalUrl\n [fulcioInternalUrl]=fulcioExternalUrl\n [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n if [ -n \"${val}\" ]; then\n echo \"Using fallback ${fallback_key} instead of ${key}\"\n fi\n fi\n if [ -z \"${val}\" ]; then\n missing=\"${missing:+${missing}, }${key}\"\n else\n declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n configured=$((configured + 1))\n fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n echo \"Keyless signing is enabled\"\n\n # Save signing config for upload-sbom step\n for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n envvar=\"${SIGNING_KEY_MAP[$key]}\"\n printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n done \u003e/shared/signing-config.env\n\n echo \"Using Rekor URL: ${REKOR_URL}\"\n echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n echo \"[$(date --utc -Ins)] Sign image\"\n echo \"Signing image ${IMAGE_REF} using keyless signing\"\n if ! retry cosign sign -y \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign image\" \u003e\u00262\n exit 1\n fi\nelif [ \"${configured}\" -eq 0 ]; then\n echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "256m", "memory": "512Mi" }, "requests": { "cpu": "256m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "sbom-syft-generate", "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\ncase $SBOM_TYPE in\ncyclonedx)\n syft_sbom_type=cyclonedx-json@1.5\n ;;\nspdx)\n syft_sbom_type=spdx-json@2.3\n ;;\n*)\n echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n exit 1\n ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n oci-dir:\"${OCI_DIR}\"\n --output \"$syft_sbom_type=/var/workdir/sbom-image.json\"\n)\nsyft_source_args=(\n dir:\"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT\"\n --output \"$syft_sbom_type=/var/workdir/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n echo \"Running syft on the source code\"\n syft \"${syft_source_args[@]}\"\nelse\n echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" }, { "args": [ "--additional-base-images" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.2.0-1774868067@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --additional-base-images)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ADDITIONAL_BASE_IMAGES+=(\"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n generate\n --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-image\n --from-syft \"/var/workdir/sbom-image.json\"\n --image-pullspec \"$IMAGE_URL\"\n --image-digest \"$IMAGE_DIGEST\"\n --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/var/workdir/sbom-source.json\" ]; then\n mobster_args+=(--from-syft \"/var/workdir/sbom-source.json\")\nfi\n\nif [ -f \"/var/workdir/sbom-prefetch.json\" ]; then\n mobster_args+=(--from-hermeto \"/var/workdir/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n", "securityContext": { "runAsUser": 0 }, "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"; then\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n # shellcheck source=/dev/null\n source /shared/signing-config.env\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n # spdx export data as rawstring, we want structured json as cyclonedx\n ATT_SBOM_TYPE=\"spdxjson\"\n fi\n\n echo \"[$(date --utc -Ins)] Sign SBOM\"\n echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign SBOM\" \u003e\u00262\n exit 1\n fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "name": "additional-secret", "secret": { "optional": true, "secretName": "does-not-exist" } }, { "name": "etc-pki-entitlement", "secret": { "optional": true, "secretName": "etc-pki-entitlement" } }, { "name": "oidc-token", "projected": { "sources": [ { "serviceAccountToken": { "audience": "sigstore", "expirationSeconds": 600, "path": "oidc-token" } } ] } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "caching-ca-bundle", "optional": true }, "name": "proxy-ca-bundle" }, { "emptyDir": {}, "name": "shared" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "varlibcontainers" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/994d9d99adcc535f4413cd0ee7842e23026140c8", "build.appstudio.redhat.com/commit_sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tkaets", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-push-7lsj7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-child-rexo' into 'multi-component-child-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-child-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/f4dc841d-3db4-469a-861d-7027efc5d0d0/records/8517e426-8982-4b5d-b0c3-f18f143d86c3", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"994d9d99adcc535f4413cd0ee7842e23026140c8\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/f4dc841d-3db4-469a-861d-7027efc5d0d0", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-47663917638f344eb09c5f89895d3ab6-c985ef3db73e7b38-01\"}" }, "creationTimestamp": "2026-05-11T11:39:34Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "build.appstudio.redhat.com/build_type": "docker", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-push-7lsj7", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-push-7lsj7", "tekton.dev/pipelineRunUID": "f4dc841d-3db4-469a-861d-7027efc5d0d0", "tekton.dev/pipelineTask": "build-image-index", "tekton.dev/task": "build-image-index-min" }, "name": "gl-multi-component-child-rexo-on-push-7lsj7-build-image-index", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-push-7lsj7", "uid": "f4dc841d-3db4-469a-861d-7027efc5d0d0" } ], "resourceVersion": "82481", "uid": "8517e426-8982-4b5d-b0c3-f18f143d86c3" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "IMAGES", "value": [ "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8@sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4" ] }, { "name": "BUILDAH_FORMAT", "value": "docker" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "build-image-index-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index-min:0.3@sha256:fbb362f21e559606f8941cde6a2c0507c8af6cfc8bee88ffc38032e8e80b4b7e" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:39:44Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:39:44Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-child-re1388dc20a99c232ae5fb89fbbb71bf40-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "fbb362f21e559606f8941cde6a2c0507c8af6cfc8bee88ffc38032e8e80b4b7e" }, "entryPoint": "build-image-index-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index-min" } }, "results": [ { "name": "IMAGES", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4" }, { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8" } ], "spanContext": { "traceparent": "00-47663917638f344eb09c5f89895d3ab6-c985ef3db73e7b38-01" }, "startTime": "2026-05-11T11:39:34Z", "steps": [ { "container": "step-build", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "build", "provenance": {}, "terminated": { "containerID": "cri-o://364374e041af046edb6e02c6a8efba4529512173aea3c510f571652fd8c3dae5", "exitCode": 0, "finishedAt": "2026-05-11T11:39:41Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:39:39Z" }, "terminationReason": "Completed" }, { "container": "step-create-sbom", "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094", "name": "create-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://d56643cfe27c95b3869e8d36ba5723fb20aea6d014a089a8af935508847524bc", "exitCode": 0, "finishedAt": "2026-05-11T11:39:41Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:39:41Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://9bc9a28f7375efff5d7de23243d294b718936c7569a4cc8058a65cdb5c33748e", "exitCode": 0, "finishedAt": "2026-05-11T11:39:44Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:39:42Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "This takes existing Image Manifests and combines them in an Image Index.", "params": [ { "description": "The target image and tag where the image will be pushed to.", "name": "IMAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "description": "List of Image Manifests to be referenced by the Image Index", "name": "IMAGES", "type": "array" }, { "default": "true", "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.", "name": "ALWAYS_BUILD_INDEX", "type": "string" }, { "default": "vfs", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": "false", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "List of all referenced image manifests", "name": "IMAGES", "type": "string" }, { "description": "Image reference of the built image containing both the repository and the digest", "name": "IMAGE_REF", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "vfs" } ], "volumeMounts": [ { "mountPath": "/index-build-data", "name": "shared-dir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8@sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/konflux-build-cli:latest@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "build", "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\n\necho \"Running konflux-build-cli\"\nif ! konflux-build-cli image build-image-index \\\n --image \"$IMAGE\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --buildah-format \"$BUILDAH_FORMAT\" \\\n --always-build-index=\"$ALWAYS_BUILD_INDEX\" \\\n --additional-tags \"gl-multi-component-child-rexo-on-push-7lsj7-build-image-index\" \\\n --output-manifest-path \"$MANIFEST_DATA_FILE\" \\\n --result-path-image-digest \"/tekton/results/IMAGE_DIGEST\" \\\n --result-path-image-url \"/tekton/results/IMAGE_URL\" \\\n --result-path-image-ref \"/tekton/results/IMAGE_REF\" \\\n --result-path-images \"/tekton/results/IMAGES\" \\\n --images \"$@\"; then\n echo \"Failed to build image index\"\n exit 1\nfi\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 } }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094", "name": "create-sbom", "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-index\n --index-image-pullspec \"$IMAGE_URL\"\n --index-image-digest \"$IMAGE_DIGEST\"\n --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 } } ], "volumes": [ { "emptyDir": {}, "name": "shared-dir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/994d9d99adcc535f4413cd0ee7842e23026140c8", "build.appstudio.redhat.com/commit_sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tkaets", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-push-7lsj7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-child-rexo' into 'multi-component-child-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-child-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/f4dc841d-3db4-469a-861d-7027efc5d0d0/records/1cd0f624-5abd-4e38-908d-50dd0167b225", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"994d9d99adcc535f4413cd0ee7842e23026140c8\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/f4dc841d-3db4-469a-861d-7027efc5d0d0", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "virus, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-47663917638f344eb09c5f89895d3ab6-5a192fb65f3899fc-01\"}" }, "creationTimestamp": "2026-05-11T11:39:44Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-push-7lsj7", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-push-7lsj7", "tekton.dev/pipelineRunUID": "f4dc841d-3db4-469a-861d-7027efc5d0d0", "tekton.dev/pipelineTask": "clamav-scan", "tekton.dev/task": "clamav-scan-min" }, "name": "gl-multi-component-child-rexo-on-push-7lsj7-clamav-scan", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-push-7lsj7", "uid": "f4dc841d-3db4-469a-861d-7027efc5d0d0" } ], "resourceVersion": "84670", "uid": "1cd0f624-5abd-4e38-908d-50dd0167b225" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "clamav-scan-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min:0.3@sha256:589e34f73d310aa993c9761d8b78265a904a121028bda2809d8a2d0500454bd8" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:40:49Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:40:49Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-child-rexo-on-push-7lsj7-clamav-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "589e34f73d310aa993c9761d8b78265a904a121028bda2809d8a2d0500454bd8" }, "entryPoint": "clamav-scan-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8\", \"digests\": [\"sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"timestamp\":\"1778499646\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n" } ], "spanContext": { "traceparent": "00-47663917638f344eb09c5f89895d3ab6-5a192fb65f3899fc-01" }, "startTime": "2026-05-11T11:39:44Z", "steps": [ { "container": "step-extract-and-scan-image", "imageID": "quay.io/konflux-ci/clamav-db@sha256:83085885f6c81f58dc642c8be1e2a8a3c46410ff0b084005a13b20078485405d", "name": "extract-and-scan-image", "provenance": {}, "terminated": { "containerID": "cri-o://95ae3a289ee1d46297c94de3294626b5d5336a6c3d13bcf5d1d90df1da9ececb", "exitCode": 0, "finishedAt": "2026-05-11T11:40:47Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8\\\", \\\"digests\\\": [\\\"sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1778499646\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:39:50Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "upload", "provenance": {}, "terminated": { "containerID": "cri-o://1db2ad84e1df3fc30bbedf28ca1a318559825523d631c46bd62e25a33529f160", "exitCode": 0, "finishedAt": "2026-05-11T11:40:49Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8\\\", \\\"digests\\\": [\\\"sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1778499646\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:40:47Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "Image arch.", "name": "image-arch", "type": "string" }, { "default": "", "description": "unused", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "8", "description": "Maximum number of threads clamd runs.", "name": "clamd-max-threads", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-upload", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "512m", "memory": "3Gi" }, "requests": { "cpu": "512m", "memory": "3Gi" } }, "env": [ { "name": "HOME", "value": "/work" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8" }, { "name": "IMAGE_DIGEST", "value": "sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4" }, { "name": "IMAGE_ARCH" }, { "name": "MAX_THREADS", "value": "8" } ], "image": "quay.io/konflux-ci/clamav-db:latest", "name": "extract-and-scan-image", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n mkdir -p ~/.docker\n echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n# $1: destination - path to the content to scan\n# $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n# $3: digest - digest to add to digests_processed array\n# $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n local destination=\"$1\"\n local suffix=\"$2\"\n local digest=\"$3\"\n local scan_message=\"${4:-Scanning content}\"\n\n db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n echo \"$scan_message. This operation may take a while.\"\n clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n digests_processed+=(\"\\\"$digest\\\"\")\n\n if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n # OPA/EC requires structured data input, add clamAV log into json\n jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o json \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o appstudio \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n\n if [ -n \"$raw_manifest\" ]; then\n media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n # Determine if this is an OCI artifact (not a container image)\n # OCI artifacts typically have:\n # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n # - An explicit artifactType field that is not a container image type\n is_oci_artifact=false\n\n # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n is_oci_artifact=true\n fi\n\n # Check if artifactType is set and is not a container image type\n if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n is_oci_artifact=true\n fi\n\n if [ \"$is_oci_artifact\" = true ]; then\n # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n # This looks like a container image manifest, but get_image_manifests failed\n echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n note=\"Task clamav-scan-min failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n else\n # Likely an OCI artifact with non-standard media type\n echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n fi\n else\n echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n note=\"Task clamav-scan-min failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n echo \"Detected container image. Processing image manifests.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n # Proceed only if a specific arch is provided.\n # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n if [ -n \"$IMAGE_ARCH\" ]; then\n arch=\"${IMAGE_ARCH#*/}\"\n if [ \"${arch}\" = \"x86_64\" ]; then\n arch=\"amd64\"\n fi\n\n # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n arch=\"amd64\"\n ;;\n esac\n\n image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n fi\n\n while read -r arch arch_sha; do\n destination=$(echo content-$arch)\n mkdir -p \"$destination\"\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n if [ $? -ne 0 ]; then\n echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n exit 0\n fi\n\n # Scan and process container image for this architecture\n scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n {\n \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n \"namespace\" : $item.namespace,\n \"successes\" : (.successes + $item.successes),\n \"failures\" : (.failures + $item.failures),\n \"warnings\" : (.warnings + $item.warnings),\n \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_UPLOAD", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8" }, { "name": "IMAGE_DIGEST", "value": "sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n echo \"Upload skipped by parameter.\"\n exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n MEDIA_TYPE=text/vnd.clamav\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n MEDIA_TYPE=application/vnd.konflux.test_output+json\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n echo \"No files found. Skipping upload.\"\n exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n", "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" } ], "volumes": [ { "emptyDir": {}, "name": "dbfolder" }, { "emptyDir": {}, "name": "work" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/994d9d99adcc535f4413cd0ee7842e23026140c8", "build.appstudio.redhat.com/commit_sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tkaets", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-push-7lsj7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-child-rexo' into 'multi-component-child-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-child-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/f4dc841d-3db4-469a-861d-7027efc5d0d0/records/3d5803bd-82ee-4934-b36f-c1710e83dc34", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"994d9d99adcc535f4413cd0ee7842e23026140c8\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/f4dc841d-3db4-469a-861d-7027efc5d0d0", "results.tekton.dev/stored": "true", "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone oci trusted artifacts", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-47663917638f344eb09c5f89895d3ab6-062ed7ecc46267c3-01\"}" }, "creationTimestamp": "2026-05-11T11:36:43Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-push-7lsj7", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-push-7lsj7", "tekton.dev/pipelineRunUID": "f4dc841d-3db4-469a-861d-7027efc5d0d0", "tekton.dev/pipelineTask": "clone-repository", "tekton.dev/task": "git-clone-oci-ta-min" }, "name": "gl-multi-component-child-rexo-on-push-7lsj7-clone-repository", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-push-7lsj7", "uid": "f4dc841d-3db4-469a-861d-7027efc5d0d0" } ], "resourceVersion": "76941", "uid": "3d5803bd-82ee-4934-b36f-c1710e83dc34" }, "spec": { "params": [ { "name": "url", "value": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv" }, { "name": "revision", "value": "994d9d99adcc535f4413cd0ee7842e23026140c8" }, { "name": "ociStorage", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8.git" }, { "name": "ociArtifactExpiresAfter", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "git-clone-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min:0.1@sha256:ad1487d03967da7e9e032ba47b094ebf7e46c8e6f5d47faa9f8c15e1617fb208" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "basic-auth", "secret": { "secretName": "pac-gitauth-tkaets" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:36:51Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:36:51Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-child-re23f9ddea4464f41936c8ace42426ed44-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "ad1487d03967da7e9e032ba47b094ebf7e46c8e6f5d47faa9f8c15e1617fb208" }, "entryPoint": "git-clone-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min" } }, "results": [ { "name": "CHAINS-GIT_COMMIT", "type": "string", "value": "994d9d99adcc535f4413cd0ee7842e23026140c8" }, { "name": "CHAINS-GIT_URL", "type": "string", "value": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv" }, { "name": "commit", "type": "string", "value": "994d9d99adcc535f4413cd0ee7842e23026140c8" }, { "name": "commit-timestamp", "type": "string", "value": "1778499389" }, { "name": "short-commit", "type": "string", "value": "994d9d9" }, { "name": "url", "type": "string", "value": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:9942ac142fa6b260bec2a46ada7502b5aa9d8cf8535c15422c3056ba221d19d6" } ], "spanContext": { "traceparent": "00-47663917638f344eb09c5f89895d3ab6-062ed7ecc46267c3-01" }, "startTime": "2026-05-11T11:36:43Z", "steps": [ { "container": "step-clone", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "provenance": {}, "terminated": { "containerID": "cri-o://3e104db0957592ca3287a3017b39f6df5b8a114624eabed95a796879c101aa00", "exitCode": 0, "finishedAt": "2026-05-11T11:36:49Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"994d9d99adcc535f4413cd0ee7842e23026140c8\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-child-twjokv\",\"type\":1},{\"key\":\"commit\",\"value\":\"994d9d99adcc535f4413cd0ee7842e23026140c8\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778499389\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"994d9d9\",\"type\":1},{\"key\":\"url\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-child-twjokv\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:36:48Z" }, "terminationReason": "Completed" }, { "container": "step-symlink-check", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "provenance": {}, "terminated": { "containerID": "cri-o://caa5e90440e575a30d49fa0ab30c93ee1a38e7c8ba687c0a392258e31d18e409", "exitCode": 0, "finishedAt": "2026-05-11T11:36:49Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"994d9d99adcc535f4413cd0ee7842e23026140c8\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-child-twjokv\",\"type\":1},{\"key\":\"commit\",\"value\":\"994d9d99adcc535f4413cd0ee7842e23026140c8\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778499389\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"994d9d9\",\"type\":1},{\"key\":\"url\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-child-twjokv\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:36:49Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "create-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://ef9f0a63d55c31f54ff7597375adc980ea94f077ebacffb9e14d8a7d9fce6347", "exitCode": 0, "finishedAt": "2026-05-11T11:36:50Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"994d9d99adcc535f4413cd0ee7842e23026140c8\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-child-twjokv\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:9942ac142fa6b260bec2a46ada7502b5aa9d8cf8535c15422c3056ba221d19d6\",\"type\":1},{\"key\":\"commit\",\"value\":\"994d9d99adcc535f4413cd0ee7842e23026140c8\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778499389\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"994d9d9\",\"type\":1},{\"key\":\"url\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-child-twjokv\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:36:49Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted artifact in the provided OCI repository.", "params": [ { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" } ], "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "PARAM_URL", "value": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv" }, { "name": "PARAM_REVISION", "value": "994d9d99adcc535f4413cd0ee7842e23026140c8" }, { "name": "PARAM_REFSPEC" }, { "name": "PARAM_SUBMODULES", "value": "true" }, { "name": "PARAM_SUBMODULE_PATHS" }, { "name": "PARAM_DEPTH", "value": "1" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "7" }, { "name": "PARAM_SSL_VERIFY", "value": "true" }, { "name": "PARAM_HTTP_PROXY" }, { "name": "PARAM_HTTPS_PROXY" }, { "name": "PARAM_NO_PROXY" }, { "name": "PARAM_VERBOSE", "value": "false" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES" }, { "name": "PARAM_USER_HOME", "value": "/tekton/home" }, { "name": "PARAM_FETCH_TAGS", "value": "false" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "false" }, { "name": "PARAM_TARGET_BRANCH", "value": "main" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL" }, { "name": "PARAM_MERGE_SOURCE_DEPTH" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "false" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "true" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH", "value": "/workspace/basic-auth" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ]; then\n set -x\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ]; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e\"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e\"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ]; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n\n if ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit 1\n fi\n\n # Check if there are changes staged for commit\n if git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\n else\n echo \"Merge successful (no conflicts found), committing...\"\n if ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit 1\n fi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e\"/tekton/results/merged_sha\"\n fi\n\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e\"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e\"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ]; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "true" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink; do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ]; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ]; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "args": [ "create", "--store", "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8.git", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "create-trusted-artifact", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/994d9d99adcc535f4413cd0ee7842e23026140c8", "build.appstudio.redhat.com/commit_sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tkaets", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-push-7lsj7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-child-rexo' into 'multi-component-child-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-child-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/f4dc841d-3db4-469a-861d-7027efc5d0d0/records/cbcaa584-e765-4c9d-b69b-7f7d011c3dc2", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"994d9d99adcc535f4413cd0ee7842e23026140c8\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/f4dc841d-3db4-469a-861d-7027efc5d0d0", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-47663917638f344eb09c5f89895d3ab6-d72fba406298f299-01\"}" }, "creationTimestamp": "2026-05-11T11:36:37Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-push-7lsj7", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-push-7lsj7", "tekton.dev/pipelineRunUID": "f4dc841d-3db4-469a-861d-7027efc5d0d0", "tekton.dev/pipelineTask": "init", "tekton.dev/task": "init" }, "name": "gl-multi-component-child-rexo-on-push-7lsj7-init", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-push-7lsj7", "uid": "f4dc841d-3db4-469a-861d-7027efc5d0d0" } ], "resourceVersion": "76584", "uid": "cbcaa584-e765-4c9d-b69b-7f7d011c3dc2" }, "spec": { "params": [ { "name": "enable-cache-proxy", "value": "false" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "init" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:36:43Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:36:43Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-child-rexo-on-push-7lsj7-init-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08" }, "entryPoint": "init", "uri": "quay.io/konflux-ci/tekton-catalog/task-init" } }, "results": [ { "name": "http-proxy", "type": "string", "value": "" }, { "name": "no-proxy", "type": "string", "value": "" } ], "spanContext": { "traceparent": "00-47663917638f344eb09c5f89895d3ab6-d72fba406298f299-01" }, "startTime": "2026-05-11T11:36:37Z", "steps": [ { "container": "step-init", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "init", "provenance": {}, "terminated": { "containerID": "cri-o://a09a9ef5dce07e7dd35623db29dd2667fe168fb27d405b2589f69cb63013cace", "exitCode": 0, "finishedAt": "2026-05-11T11:36:42Z", "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:36:42Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.", "params": [ { "default": "false", "description": "Enable cache proxy configuration", "name": "enable-cache-proxy", "type": "string" } ], "results": [ { "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)", "name": "http-proxy", "type": "string" }, { "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)", "name": "no-proxy", "type": "string" } ], "steps": [ { "args": [ "--enable", "false" ], "command": [ "konflux-build-cli", "config", "cache-proxy" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" }, { "name": "DEFAULT_HTTP_PROXY", "value": "squid.caching.svc.cluster.local:3128" }, { "name": "DEFAULT_NO_PROXY", "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai" }, { "name": "HTTP_PROXY_RESULTS_PATH", "value": "/tekton/results/http-proxy" }, { "name": "NO_PROXY_RESULTS_PATH", "value": "/tekton/results/no-proxy" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "init" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/994d9d99adcc535f4413cd0ee7842e23026140c8", "build.appstudio.redhat.com/commit_sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tkaets", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-push-7lsj7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-child-rexo' into 'multi-component-child-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-child-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/f4dc841d-3db4-469a-861d-7027efc5d0d0/records/c7e8207d-2069-480b-bc82-3985beceabde", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"994d9d99adcc535f4413cd0ee7842e23026140c8\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/f4dc841d-3db4-469a-861d-7027efc5d0d0", "results.tekton.dev/stored": "true", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-47663917638f344eb09c5f89895d3ab6-2946f82b27be01d8-01\"}" }, "creationTimestamp": "2026-05-11T11:39:44Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-push-7lsj7", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-push-7lsj7", "tekton.dev/pipelineRunUID": "f4dc841d-3db4-469a-861d-7027efc5d0d0", "tekton.dev/pipelineTask": "rpms-signature-scan", "tekton.dev/task": "rpms-signature-scan" }, "name": "gl-multi-component-child-rexo-on-push-7lsj7-rpms-signature-scan", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-push-7lsj7", "uid": "f4dc841d-3db4-469a-861d-7027efc5d0d0" } ], "resourceVersion": "83052", "uid": "c7e8207d-2069-480b-bc82-3985beceabde" }, "spec": { "params": [ { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8" }, { "name": "image-digest", "value": "sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "rpms-signature-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:cfdb76c67f27bc498132431f5a24fbc17dac1981d6f6e3da5cf5964ac5abdd20" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:39:59Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:39:59Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-child-re260b53f305060077b061a852818601fe-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "cfdb76c67f27bc498132431f5a24fbc17dac1981d6f6e3da5cf5964ac5abdd20" }, "entryPoint": "rpms-signature-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8\", \"digests\": [\"sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\"]}}\n" }, { "name": "RPMS_DATA", "type": "string", "value": "{\"keys\": {\"199e2f91fd431d51\": 102, \"unsigned\": 0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:39:59+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-47663917638f344eb09c5f89895d3ab6-2946f82b27be01d8-01" }, "startTime": "2026-05-11T11:39:44Z", "steps": [ { "container": "step-rpms-signature-scan", "imageID": "quay.io/konflux-ci/tools@sha256:4bb1feaad4cb4735f8a5387e32691dfc1fe6097d28d56c23895866f88b211e28", "name": "rpms-signature-scan", "provenance": {}, "terminated": { "containerID": "cri-o://3af3a72167d78bebba410d42eccfe94a0ea38eee7737a8a2e50c03efbb9fe97e", "exitCode": 0, "finishedAt": "2026-05-11T11:39:57Z", "reason": "Completed", "startedAt": "2026-05-11T11:39:50Z" }, "terminationReason": "Completed" }, { "container": "step-output-results", "imageID": "quay.io/konflux-ci/konflux-test@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e", "name": "output-results", "provenance": {}, "terminated": { "containerID": "cri-o://7f8fba3e6d3b5103dbfba69de952f0109d1c5df1c046f00f09fe2775e9bbf122", "exitCode": 0, "finishedAt": "2026-05-11T11:39:59Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8\\\", \\\"digests\\\": [\\\"sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 102, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:39:59+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:39:58Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans RPMs in an image and provide information about RPMs signatures.", "params": [ { "description": "Image URL", "name": "image-url", "type": "string" }, { "description": "Image digest to scan", "name": "image-digest", "type": "string" }, { "default": "/tmp", "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n", "name": "workdir", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Information about signed and unsigned RPMs", "name": "RPMS_DATA", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "200m", "memory": "256Mi" }, "requests": { "cpu": "200m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8" }, { "name": "IMAGE_DIGEST", "value": "sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4" }, { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/tools@sha256:b78a949c4a986724ae8e768ca315fc35bae5e0553de5cd2edd468d6a7d4b7e0f", "name": "rpms-signature-scan", "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n --image-url \"${IMAGE_URL}\" \\\n --image-digest \"${IMAGE_DIGEST}\" \\\n --workdir \"${WORKDIR}\" \\\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "50m", "memory": "32Mi" }, "requests": { "cpu": "50m", "memory": "32Mi" } }, "env": [ { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.53@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e", "name": "output-results", "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" } ] } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/994d9d99adcc535f4413cd0ee7842e23026140c8", "build.appstudio.redhat.com/commit_sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tkaets", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-push-7lsj7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-child-rexo' into 'multi-component-child-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-child-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/f4dc841d-3db4-469a-861d-7027efc5d0d0/records/fae94579-f03e-459b-b68c-317710cb14f4", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"994d9d99adcc535f4413cd0ee7842e23026140c8\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/f4dc841d-3db4-469a-861d-7027efc5d0d0", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-47663917638f344eb09c5f89895d3ab6-de36cda788d299fb-01\"}" }, "creationTimestamp": "2026-05-11T11:39:44Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-push-7lsj7", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-push-7lsj7", "tekton.dev/pipelineRunUID": "f4dc841d-3db4-469a-861d-7027efc5d0d0", "tekton.dev/pipelineTask": "sast-shell-check", "tekton.dev/task": "sast-shell-check-oci-ta-min" }, "name": "gl-multi-component-child-rexo-on-push-7lsj7-sast-shell-check", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-push-7lsj7", "uid": "f4dc841d-3db4-469a-861d-7027efc5d0d0" } ], "resourceVersion": "83440", "uid": "fae94579-f03e-459b-b68c-317710cb14f4" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:9942ac142fa6b260bec2a46ada7502b5aa9d8cf8535c15422c3056ba221d19d6" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "sast-shell-check-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min:0.1@sha256:ecfae10944b45b91988ddc6311c7232bf2c98ba73c5fc6261861ecfd33434db0" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:40:02Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:40:02Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-child-re1834ea7283de6a191c739a9a853a728c-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "ecfae10944b45b91988ddc6311c7232bf2c98ba73c5fc6261861ecfd33434db0" }, "entryPoint": "sast-shell-check-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:40:00+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-47663917638f344eb09c5f89895d3ab6-de36cda788d299fb-01" }, "startTime": "2026-05-11T11:39:44Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:0cf6c1640011bd02c158e2c4fe9f8c4656b9aa751c08fc879d0a99bfb87d0789", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://5b24749c62f2aac70dbd6d2a1e982b326502af498f0a968240649f2030adf3ad", "exitCode": 0, "finishedAt": "2026-05-11T11:39:49Z", "reason": "Completed", "startedAt": "2026-05-11T11:39:49Z" }, "terminationReason": "Completed" }, { "container": "step-sast-shell-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "sast-shell-check", "provenance": {}, "terminated": { "containerID": "cri-o://759a3cb3c8f7a95cd6ee62201961b673a5319d84f497238bb7b5cd3a575c7584", "exitCode": 0, "finishedAt": "2026-05-11T11:40:00Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:40:00+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:39:49Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:6504e165b4e1411ca55069091a989fd27722a64ee0e3ec9fa7be5cf31d8b595f", "name": "upload", "provenance": {}, "terminated": { "containerID": "cri-o://7bd2497a56fa55039bfddaa577e72e4c50a2b3a4812cef766cd1f86c0378c354", "exitCode": 0, "finishedAt": "2026-05-11T11:40:02Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:40:00+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:40:01Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "true", "description": "Whether to include important findings only", "name": "IMP_FINDINGS_ONLY", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Image digest to report findings for.", "name": "image-digest", "type": "string" }, { "default": "", "description": "Image URL.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:9942ac142fa6b260bec2a46ada7502b5aa9d8cf8535c15422c3056ba221d19d6=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "128m", "memory": "256Mi" }, "requests": { "cpu": "128m", "memory": "256Mi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "IMP_FINDINGS_ONLY", "value": "true" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-shell-check", "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/var/workdir/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c\"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n resolved_path=$(realpath -m \"$potential_path\")\n\n # ensure resolved path is still within SOURCE_CODE_DIR\n if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n ALL_TARGETS+=(\"$resolved_path\")\n else\n echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n exit 1\n fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n read -r quota period \u003c/sys/fs/cgroup/cpu.max\n if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n export SC_JOBS=$(((quota + period - 1) / period))\n echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n --mode=json\n --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n # predefined list of shellcheck important findings\n CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n CSGREP_OPTS+=(\n --event=\"$CSGREP_EVENT_FILTER\"\n )\nelse\n CSGREP_OPTS+=(\n --event=\"error|warning\"\n )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e\"$OUTPUT_FILE\"; then\n echo \"Error occurred while running 'run-shellcheck.sh'\"\n note=\"Task sast-shell-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e\"${OUTPUT_FILE}.filtered\" 2\u003e\"${OUTPUT_FILE}.error\"\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n else\n mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003eshellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check-oci-ta-min\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8" }, { "name": "IMAGE_DIGEST", "value": "sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n echo 'No image-url or image-digest param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n # Determine the media type based on the file extension\n if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n MEDIA_TYPE=\"application/json\"\n else\n MEDIA_TYPE=\"application/sarif+json\"\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"$IMAGE_URL\" \u003e\"$HOME/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"; then\n echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n exit 1\n fi\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/994d9d99adcc535f4413cd0ee7842e23026140c8", "build.appstudio.redhat.com/commit_sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tkaets", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-push-7lsj7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-child-rexo' into 'multi-component-child-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-child-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/f4dc841d-3db4-469a-861d-7027efc5d0d0/records/665fb293-fae4-4f97-96b9-818489743e4a", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"994d9d99adcc535f4413cd0ee7842e23026140c8\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/f4dc841d-3db4-469a-861d-7027efc5d0d0", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-47663917638f344eb09c5f89895d3ab6-48a4f3e84a66a080-01\"}" }, "creationTimestamp": "2026-05-11T11:39:44Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-push-7lsj7", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-push-7lsj7", "tekton.dev/pipelineRunUID": "f4dc841d-3db4-469a-861d-7027efc5d0d0", "tekton.dev/pipelineTask": "sast-unicode-check", "tekton.dev/task": "sast-unicode-check-oci-ta-min" }, "name": "gl-multi-component-child-rexo-on-push-7lsj7-sast-unicode-check", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-push-7lsj7", "uid": "f4dc841d-3db4-469a-861d-7027efc5d0d0" } ], "resourceVersion": "82810", "uid": "665fb293-fae4-4f97-96b9-818489743e4a" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:9942ac142fa6b260bec2a46ada7502b5aa9d8cf8535c15422c3056ba221d19d6" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "sast-unicode-check-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min:0.4@sha256:96badf0b06d83fc1e7cf50048f94091e257819ee537f063830541f9c97295200" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:39:53Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:39:53Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-child-re603bd11ec23f61a1cb9c5ee94ef507b7-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "96badf0b06d83fc1e7cf50048f94091e257819ee537f063830541f9c97295200" }, "entryPoint": "sast-unicode-check-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:39:51+00:00\",\"note\":\"Task sast-unicode-check-oci-ta-min success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-47663917638f344eb09c5f89895d3ab6-48a4f3e84a66a080-01" }, "startTime": "2026-05-11T11:39:45Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:0cf6c1640011bd02c158e2c4fe9f8c4656b9aa751c08fc879d0a99bfb87d0789", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://86e450bfeb4f1eabbb1fb089ff5adef8ab51d573463d379575de78264bfcb9c4", "exitCode": 0, "finishedAt": "2026-05-11T11:39:50Z", "reason": "Completed", "startedAt": "2026-05-11T11:39:50Z" }, "terminationReason": "Completed" }, { "container": "step-sast-unicode-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "sast-unicode-check", "provenance": {}, "terminated": { "containerID": "cri-o://25df2c8828c8f7d36334e54743b058f8fe60fdccde8e06e7174a9c4d44a2a1bc", "exitCode": 0, "finishedAt": "2026-05-11T11:39:51Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:39:51+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta-min success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:39:50Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:6504e165b4e1411ca55069091a989fd27722a64ee0e3ec9fa7be5cf31d8b595f", "name": "upload", "provenance": {}, "terminated": { "containerID": "cri-o://38718f937540735679a27ead4ab452e04d4ed39ecd538f674e306d6a6ebb894b", "exitCode": 0, "finishedAt": "2026-05-11T11:39:52Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:39:51+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta-min success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:39:52Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans source code for non-printable unicode characters in all text files.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "-p bidi -v -d -t", "description": "arguments for find-unicode-control command.", "name": "FIND_UNICODE_CONTROL_ARGS", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "description": "Image digest used for ORAS upload.", "name": "image-digest", "type": "string" }, { "description": "Image URL used for ORAS upload.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:9942ac142fa6b260bec2a46ada7502b5aa9d8cf8535c15422c3056ba221d19d6=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "128m", "memory": "256Mi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "FIND_UNICODE_CONTROL_ARGS", "value": "-p bidi -v -d -t" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_CODE_DIR", "value": "/var/workdir" }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-unicode-check", "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nOLD_IFS=\"$IFS\"\nIFS=\",\"\nfor d in $TARGET_DIRS; do\n ALL_TARGETS+=(\"${SOURCE_CODE_DIR}/source/${d}\")\ndone\nIFS=\"$OLD_IFS\"\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${ALL_TARGETS[@]}\" \\\n \u003eraw_sast_unicode_check_out.txt \\\n 2\u003eraw_sast_unicode_check_out.log ||\n FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n echo \"Failed to run find-unicode-control command\" \u003e\u00262\n cat raw_sast_unicode_check_out.log\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n --mode=json\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"${SCAN_PROP}\"\n --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003eprocessed_sast_unicode_check_out.json 2\u003eprocessed_sast_unicode_check_out.err; then\n echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n cat processed_sast_unicode_check_out.err\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # Build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n # Append --record-excluded option if RECORD_EXCLUDED is true\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003esast_unicode_check_out.json 2\u003esast_unicode_check_out.error\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n else\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003esast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n note=\"Task sast-unicode-check-oci-ta-min success: No finding was detected\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s sast_unicode_check_out.sarif ]]; then\n note=\"Task sast-unicode-check-oci-ta-min success: Some findings were detected, but filtered by known false positive\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n echo \"sast-unicode-check test failed because of the following issues:\"\n cat sast_unicode_check_out.json\n TEST_OUTPUT=\n parse_test_output \"sast-unicode-check-oci-ta-min\" sarif sast_unicode_check_out.sarif || true\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8" }, { "name": "IMAGE_DIGEST", "value": "sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n echo 'No image-url param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n MEDIA_TYPE=application/json\n else\n MEDIA_TYPE=application/sarif+json\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"${IMAGE_URL}\" \u003e\"${HOME}/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/994d9d99adcc535f4413cd0ee7842e23026140c8", "build.appstudio.redhat.com/commit_sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tkaets", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-push-7lsj7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-child-rexo' into 'multi-component-child-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-child-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/f4dc841d-3db4-469a-861d-7027efc5d0d0/records/1ff42a26-b724-4944-8039-22b6ec3f5d06", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"994d9d99adcc535f4413cd0ee7842e23026140c8\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/f4dc841d-3db4-469a-861d-7027efc5d0d0", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-47663917638f344eb09c5f89895d3ab6-8f2627df39314487-01\"}" }, "creationTimestamp": "2026-05-11T11:39:44Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "994d9d99adcc535f4413cd0ee7842e23026140c8", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-push-7lsj7", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-push-7lsj7", "tekton.dev/pipelineRunUID": "f4dc841d-3db4-469a-861d-7027efc5d0d0", "tekton.dev/pipelineTask": "tpa-scan", "tekton.dev/task": "tpa-scan" }, "name": "gl-multi-component-child-rexo-on-push-7lsj7-tpa-scan", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-push-7lsj7", "uid": "f4dc841d-3db4-469a-861d-7027efc5d0d0" } ], "resourceVersion": "83362", "uid": "1ff42a26-b724-4944-8039-22b6ec3f5d06" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "tpa-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan:0.1@sha256:68b6e188f742da92af9c40a794fd021a65d49b419d1e36096277b2d9ebbe1afc" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:40:01Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:40:01Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-child-rexo-on-push-7lsj7-tpa-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "68b6e188f742da92af9c40a794fd021a65d49b419d1e36096277b2d9ebbe1afc" }, "entryPoint": "tpa-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8\", \"digests\": [\"sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\"]}}\n" }, { "name": "REPORTS", "type": "string", "value": "{\"sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\":\"sha256:cec3b2b6bc0aacc8421dc2154cfe4e90cbe6343817f01b98e619d34991a6bd1b\"}\n" }, { "name": "SCAN_OUTPUT", "type": "string", "value": "{\"vulnerabilities\":{\"critical\":6,\"high\":46,\"medium\":104,\"low\":14,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:40:00+00:00\",\"note\":\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-47663917638f344eb09c5f89895d3ab6-8f2627df39314487-01" }, "startTime": "2026-05-11T11:39:44Z", "steps": [ { "container": "step-get-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "get-vulnerabilities", "provenance": {}, "terminated": { "containerID": "cri-o://d83b1f684915512e55e422e98523bd4af244544372374a23745d0c89d388d780", "exitCode": 0, "finishedAt": "2026-05-11T11:39:52Z", "reason": "Completed", "startedAt": "2026-05-11T11:39:50Z" }, "terminationReason": "Completed" }, { "container": "step-oci-attach-report", "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "provenance": {}, "terminated": { "containerID": "cri-o://c07ccbe94395e1e811f1fa557ac54b16b68eb7388e341fccfdd808bdd2a30347", "exitCode": 0, "finishedAt": "2026-05-11T11:39:55Z", "reason": "Completed", "startedAt": "2026-05-11T11:39:52Z" }, "terminationReason": "Completed" }, { "container": "step-conftest-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "conftest-vulnerabilities", "provenance": {}, "terminated": { "containerID": "cri-o://9c7645d027c8ae512c2cd69b5a15ad60fc612285df498fa325922f55c19fe48e", "exitCode": 0, "finishedAt": "2026-05-11T11:40:00Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8\\\", \\\"digests\\\": [\\\"sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4\\\":\\\"sha256:cec3b2b6bc0aacc8421dc2154cfe4e90cbe6343817f01b98e619d34991a6bd1b\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":6,\\\"high\\\":46,\\\"medium\\\":104,\\\"low\\\":14,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:40:00+00:00\\\",\\\"note\\\":\\\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:39:56Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans container images for vulnerabilities using the TPA vulnerability scanner, by comparing the components of container image against the vulnerability databases.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "The platform which will be scanned by this task.", "name": "image-platform", "type": "string" }, { "default": "https://exhort.stage.devshift.net/api/v5/analysis", "description": "The url of the TPA instance which will be used for scanning.", "name": "tpa-url", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-oci-attach-report", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "TPA scan result.", "name": "SCAN_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" }, { "description": "Mapping of image digests to report digests", "name": "REPORTS", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "computeResources": { "limits": { "cpu": "800m", "memory": "2Gi" }, "requests": { "cpu": "800m", "memory": "2Gi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8" }, { "name": "IMAGE_DIGEST", "value": "sha256:3281f5fa957c914a6f7b204d6cbe3bdfcc3805a50c39368f82e2594e9c8c59b4" }, { "name": "IMAGE_PLATFORM" }, { "name": "TPA_URL", "value": "https://exhort.stage.devshift.net/api/v5/analysis" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "imagePullPolicy": "Always", "name": "get-vulnerabilities", "script": "#!/usr/bin/env bash\n\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\necho \"Inspecting raw image manifest $imageanddigest.\"\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\necho \"Selecting auth\"\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${imageanddigest}\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n done\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task tpa-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n\ntpa_scan() {\n local sbom_file=${1}\n local arch=${2}\n local sbom_format\n\n sbom_format=$(jq -r 'if .bomFormat == \"CycloneDX\" then \"cyclonedx\" else \"spdx\" end' \u003c \"${sbom_file}\")\n retry curl -f --show-error -L -X POST -T \"${sbom_file}\" -H \"Content-Type:application/vnd.${sbom_format}+json\" \"${TPA_URL}\" | tee \"tpa-report-${arch}.json\";\n}\n\nrun_tpa_on_arch() {\n local arch=\"$1\"\n local sha_file=\"image-manifest-${arch}.sha\"\n local sbom_file_path=\"/tmp/sbom-${arch}.json\"\n local arch_sha=\"\"\n\n if [ -e \"${sha_file}\" ]; then\n arch_sha=$(\u003c\"${sha_file}\")\n arch_imageanddigest=$(echo -n \"${imagewithouttag}@${arch_sha}\")\n else\n echo \"Couldn't find the SHA file for the requested architecture.\"\n exit 1\n fi\n\n echo \"Selecting auth\"\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${arch_imageanddigest}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n # Attempt to download the SBOM file via cosign\n\n if ! retry cosign download sbom \"${arch_imageanddigest}\" \u003e \"${sbom_file_path}\"; then\n echo \"Unable to download SBOM for the architecture ${arch}.\"\n exit 1\n fi\n\n if [ -e \"${sbom_file_path}\" ]; then\n local arch_sha\n arch_sha=$(\u003c\"$sha_file\")\n\n echo \"Running TPA scan on $arch image manifest...\"\n tpa_scan \"${sbom_file_path}\" \"$arch\" || true\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n else\n echo \"Couldn't find the SBOM file for the requested ${arch} architecture.\"\n exit 1\n fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run the tpa scan on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n # Validate against supported arch list. If it's not a known arch, fallback to amd64\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 1\n ;;\n esac\n\n run_tpa_on_arch \"$arch\"\n\n# If no platform is specified, run TPA scan on all available image manifests\nelse\n for sha_file in image-manifest-*.sha; do\n if [ -e \"$sha_file\" ]; then\n arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n run_tpa_on_arch \"$arch\"\n fi\n done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_OCI_ATTACH_REPORT", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:994d9d99adcc535f4413cd0ee7842e23026140c8" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n echo 'OCI attach report skipped by parameter.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nif ! compgen -G \"tpa-report-*.json\" \u003e /dev/null; then\n echo 'No TPA reports generated. Skipping upload.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n report_file=\"$1\"\n arch=\"${report_file/*-}\"\n echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.tpa-report+json'\n\nreports_json=\"{}\"\nfor f in tpa-report-*.json; do\n digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n image_ref=\"${repository}@${digest}\"\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${image_ref}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n echo \"Attaching $f to ${image_ref}\"\n if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n \"/tmp/auth/config.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n then\n echo \"Failed to attach ${f} to ${image_ref}\"\n exit 1\n fi\n # shellcheck disable=SC2016\n reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/redhat-user-workloads/rhtap-integration-tenant/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "conftest-vulnerabilities", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\ntpa_result_files=$(ls /tekton/home/tpa-report-*.json 2\u003e/dev/null || true)\nif [ -z \"$tpa_result_files\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: No tpa-report files found in /tekton/home.\"\n exit 1\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $tpa_result_files; do\n file_suffix=$(basename \"$file\" | sed 's/tpa-report-//;s/.json//')\n if [ ! -s \"$file\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n else\n /usr/bin/conftest test --no-fail $file \\\n --policy /project/rhtpa/vulnerabilities-check.rego --namespace required_checks \\\n --output=json | tee /tekton/home/tpa-vulnerabilities-\"${file_suffix}\".json || true\n fi\n\n #check for missing \"tpa-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n if [ ! -f \"/tekton/home/tpa-vulnerabilities-$file_suffix.json\" ]; then\n missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/tpa-vulnerabilities-$file_suffix.json\"\n fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n note=\"Task tpa-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/tpa-vulnerabilities-*.json; do\n result=$(jq -rce \\\n '{\n vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n },\n unpatched_vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n }\n }' \"$file\")\n\n scan_result=$(jq -s -rce \\\n '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/e00807ddfa5c59675de2a49103f4321dcd8a9795", "build.appstudio.redhat.com/commit_sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ntnsju", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-push-wk66w", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-child-rexo' into 'multi-component-child-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-child-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/e652c946-2caf-40fa-9711-6b339e40416b/records/bde0945a-e95b-4895-bf30-c71c04c6fc89", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/e652c946-2caf-40fa-9711-6b339e40416b", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-d94b3291a9266b84e5e7240894580ab4-cf527fa28c5324ea-01\"}" }, "creationTimestamp": "2026-05-11T11:36:29Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "build.appstudio.redhat.com/build_type": "docker", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-push-wk66w", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-push-wk66w", "tekton.dev/pipelineRunUID": "e652c946-2caf-40fa-9711-6b339e40416b", "tekton.dev/pipelineTask": "build-container", "tekton.dev/task": "buildah-oci-ta-min" }, "name": "gl-multi-component-child-rexo-on-push-wk66w-build-container", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-push-wk66w", "uid": "e652c946-2caf-40fa-9711-6b339e40416b" } ], "resourceVersion": "80113", "uid": "bde0945a-e95b-4895-bf30-c71c04c6fc89" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795" }, { "name": "DOCKERFILE", "value": "Dockerfile" }, { "name": "CONTEXT", "value": "." }, { "name": "HERMETIC", "value": "false" }, { "name": "PREFETCH_INPUT", "value": "" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "" }, { "name": "COMMIT_SHA", "value": "e00807ddfa5c59675de2a49103f4321dcd8a9795" }, { "name": "BUILD_ARGS", "value": [] }, { "name": "BUILD_ARGS_FILE", "value": "" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SOURCE_URL", "value": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "HTTP_PROXY", "value": "" }, { "name": "NO_PROXY", "value": "" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:a4f328ee1cddfdfbb1ae4fed7ed47ecb552416010c79ba24c77f0145475ac55d" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "buildah-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min:0.9@sha256:97c0d0ac1d508a70f8610c7dc79de453a990414fba7d7e0f8d21ec22f5796d96" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:38:26Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:38:26Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-child-rexo-on-push-wk66w-build-container-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "97c0d0ac1d508a70f8610c7dc79de453a990414fba7d7e0f8d21ec22f5796d96" }, "entryPoint": "buildah-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min" } }, "results": [ { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795@sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795" }, { "name": "SBOM_BLOB_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:a1d6a5b57fb5b9dd8b6c8d4163e3311664f93adb8efa1398f031c9a6295d722f" } ], "spanContext": { "traceparent": "00-d94b3291a9266b84e5e7240894580ab4-cf527fa28c5324ea-01" }, "startTime": "2026-05-11T11:36:29Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://3cf5e43e88ae89e07d5fc66c36bfe6e980e91f36488ae82cc023d501a05e5494", "exitCode": 0, "finishedAt": "2026-05-11T11:36:35Z", "reason": "Completed", "startedAt": "2026-05-11T11:36:34Z" }, "terminationReason": "Completed" }, { "container": "step-build", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "build", "provenance": {}, "terminated": { "containerID": "cri-o://bebd818ba4c65bb902e05f00a39545714b0343fb38d63477211dc56bac6c5266", "exitCode": 0, "finishedAt": "2026-05-11T11:36:49Z", "reason": "Completed", "startedAt": "2026-05-11T11:36:36Z" }, "terminationReason": "Completed" }, { "container": "step-push", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "push", "provenance": {}, "terminated": { "containerID": "cri-o://b70ca02d9b323a30be4fe2febf3bc37031aff98c3e0693103355df3f0a5262be", "exitCode": 0, "finishedAt": "2026-05-11T11:37:21Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795@sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:36:50Z" }, "terminationReason": "Completed" }, { "container": "step-sbom-syft-generate", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "sbom-syft-generate", "provenance": {}, "terminated": { "containerID": "cri-o://44a7a9b7368c1ae9f44401dfeb450a1e72def6aa02927f30152ccc2d07f64af4", "exitCode": 0, "finishedAt": "2026-05-11T11:37:39Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795@sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:37:22Z" }, "terminationReason": "Completed" }, { "container": "step-prepare-sboms", "imageID": "quay.io/konflux-ci/mobster@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "provenance": {}, "terminated": { "containerID": "cri-o://72de7751d970de7b68c0be7521813e0618a108f6d292c25833323fbb0177929a", "exitCode": 0, "finishedAt": "2026-05-11T11:38:01Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795@sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:37:39Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://7a4f025382a2c94683bd498af8dac26fd3ee58bdba80a2c6b14727803b35d4a2", "exitCode": 0, "finishedAt": "2026-05-11T11:38:26Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795@sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:a1d6a5b57fb5b9dd8b6c8d4163e3311664f93adb8efa1398f031c9a6295d722f\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:01Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "default": [], "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings", "name": "ADDITIONAL_BASE_IMAGES", "type": "array" }, { "default": "does-not-exist", "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET", "name": "ADDITIONAL_SECRET", "type": "string" }, { "default": "", "description": "Comma separated list of extra capabilities to add when running 'buildah build'", "name": "ADD_CAPABILITIES", "type": "string" }, { "default": [], "description": "Additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS", "type": "array" }, { "default": "", "description": "Path to a file with additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS_FILE", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": [], "description": "Array of --build-arg values (\"arg=value\" strings)", "name": "BUILD_ARGS", "type": "array" }, { "default": "", "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file", "name": "BUILD_ARGS_FILE", "type": "string" }, { "default": "", "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.", "name": "BUILD_TIMESTAMP", "type": "string" }, { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "", "description": "The image is built from this commit.", "name": "COMMIT_SHA", "type": "string" }, { "default": ".", "description": "Path to the directory to use as context.", "name": "CONTEXT", "type": "string" }, { "default": "true", "description": "Determines if SBOM will be contextualized.", "name": "CONTEXTUALIZE_SBOM", "type": "string" }, { "default": "./Dockerfile", "description": "Path to the Dockerfile to build.", "name": "DOCKERFILE", "type": "string" }, { "default": "etc-pki-entitlement", "description": "Name of secret which contains the entitlement certificates", "name": "ENTITLEMENT_SECRET", "type": "string" }, { "default": [], "description": "Array of --env values (\"env=value\" strings)", "name": "ENV_VARS", "type": "array" }, { "default": "false", "description": "Determines if build will be executed without network access.", "name": "HERMETIC", "type": "string" }, { "default": "", "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.", "name": "HTTP_PROXY", "type": "string" }, { "default": "true", "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection", "name": "ICM_KEEP_COMPAT_LOCATION", "type": "string" }, { "description": "Reference of the image buildah will produce.", "name": "IMAGE", "type": "string" }, { "default": "", "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.", "name": "IMAGE_EXPIRES_AFTER", "type": "string" }, { "default": "true", "description": "Determines if the image inherits the base image labels.", "name": "INHERIT_BASE_IMAGE_LABELS", "type": "string" }, { "default": [], "description": "Additional key=value labels that should be applied to the image", "name": "LABELS", "type": "array" }, { "default": "", "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.", "name": "NO_PROXY", "type": "string" }, { "default": "false", "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.", "name": "OMIT_HISTORY", "type": "string" }, { "default": "", "description": "In case it is not empty, the prefetched content should be made available to the build.", "name": "PREFETCH_INPUT", "type": "string" }, { "default": "false", "description": "Whether to enable privileged mode, should be used only with remote VMs", "name": "PRIVILEGED_NESTED", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.", "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "caching-ca-bundle", "description": "The name of the ConfigMap to read proxy CA bundle data from.", "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "false", "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.", "name": "REWRITE_TIMESTAMP", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.", "name": "SBOM_SOURCE_SCAN_ENABLED", "type": "string" }, { "default": "", "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection", "name": "SBOM_SYFT_SELECT_CATALOGERS", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.", "name": "SBOM_TYPE", "type": "string" }, { "default": "false", "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.", "name": "SKIP_INJECTIONS", "type": "string" }, { "default": "false", "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled", "name": "SKIP_SBOM_GENERATION", "type": "string" }, { "default": "true", "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages", "name": "SKIP_UNUSED_STAGES", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "", "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.", "name": "SOURCE_DATE_EPOCH", "type": "string" }, { "default": "", "description": "The image is built from this URL.", "name": "SOURCE_URL", "type": "string" }, { "default": "false", "description": "Squash all new and previous layers added as a part of this build, as per --squash", "name": "SQUASH", "type": "string" }, { "default": "overlay", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "", "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.", "name": "TARGET_STAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "default": "", "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).", "name": "WORKINGDIR_MOUNT", "type": "string" }, { "default": "fetched.repos.d", "description": "Path in source workspace where dynamically-fetched repos are present", "name": "YUM_REPOS_D_FETCHED", "type": "string" }, { "default": "repos.d", "description": "Path in the git repository in which yum repository files are stored", "name": "YUM_REPOS_D_SRC", "type": "string" }, { "default": "/etc/yum.repos.d", "description": "Target path on the container in which yum repository files should be made available", "name": "YUM_REPOS_D_TARGET", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image reference of the built image", "name": "IMAGE_REF", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "ACTIVATION_KEY", "value": "activation-key" }, { "name": "ADDITIONAL_SECRET", "value": "does-not-exist" }, { "name": "ADD_CAPABILITIES" }, { "name": "ANNOTATIONS_FILE" }, { "name": "BUILD_ARGS_FILE" }, { "name": "BUILD_TIMESTAMP" }, { "name": "CONTEXT", "value": "." }, { "name": "CONTEXTUALIZE_SBOM", "value": "true" }, { "name": "ENTITLEMENT_SECRET", "value": "etc-pki-entitlement" }, { "name": "HERMETIC", "value": "false" }, { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795" }, { "name": "IMAGE_EXPIRES_AFTER" }, { "name": "INHERIT_BASE_IMAGE_LABELS", "value": "true" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SBOM_SKIP_VALIDATION", "value": "true" }, { "name": "SBOM_SOURCE_SCAN_ENABLED", "value": "true" }, { "name": "SBOM_SYFT_SELECT_CATALOGERS" }, { "name": "SBOM_TYPE", "value": "spdx" }, { "name": "SKIP_INJECTIONS", "value": "false" }, { "name": "SKIP_SBOM_GENERATION", "value": "false" }, { "name": "SKIP_UNUSED_STAGES", "value": "true" }, { "name": "SOURCE_CODE_DIR", "value": "source" }, { "name": "SQUASH", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "overlay" }, { "name": "TARGET_STAGE" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "WORKINGDIR_MOUNT" }, { "name": "YUM_REPOS_D_FETCHED", "value": "fetched.repos.d" }, { "name": "YUM_REPOS_D_SRC", "value": "repos.d" }, { "name": "YUM_REPOS_D_TARGET", "value": "/etc/yum.repos.d" } ], "imagePullPolicy": "IfNotPresent", "volumeMounts": [ { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:a4f328ee1cddfdfbb1ae4fed7ed47ecb552416010c79ba24c77f0145475ac55d=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "args": [ "--build-args", "--env", "--labels", "--annotations" ], "computeResources": { "limits": { "cpu": "500m", "memory": "1Gi" }, "requests": { "cpu": "500m", "memory": "1Gi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "COMMIT_SHA", "value": "e00807ddfa5c59675de2a49103f4321dcd8a9795" }, { "name": "SOURCE_URL", "value": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv" }, { "name": "DOCKERFILE", "value": "Dockerfile" }, { "name": "BUILDAH_HTTP_PROXY" }, { "name": "BUILDAH_NO_PROXY" }, { "name": "ICM_KEEP_COMPAT_LOCATION", "value": "true" }, { "name": "BUILDAH_OMIT_HISTORY", "value": "false" }, { "name": "BUILDAH_SOURCE_DATE_EPOCH" }, { "name": "BUILDAH_REWRITE_TIMESTAMP", "value": "false" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "build", "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n fi\n fi\n}\n\nfunction unset_proxy {\n echo \"[$(date --utc -Ins)] Unsetting proxy\"\n unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n\"$source_dir_path\" | \"$source_dir_path/\"*)\n # path is valid, do nothing\n ;;\n*)\n echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n echo \"Source path: $source_dir_path\" \u003e\u00262\n echo \"Resolved path: $context_dir_path\" \u003e\u00262\n exit 1\n ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n # Instrumented builds (SAST) use this custom dockerfile step as their base\n dockerfile_path=\"$DOCKERFILE\"\nelse\n echo \"Cannot find Dockerfile $DOCKERFILE\"\n exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e/etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n while IFS= read -r line || [[ -n \"$line\" ]]; do\n # Skip empty lines and comments\n if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n ANNOTATIONS+=(\"--annotation\" \"$line\")\n fi\n done \u003c\"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --build-args)\n shift\n # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n build_args+=(\"$1\")\n shift\n done\n ;;\n --env)\n shift\n # Collect env entries of the form KEY=value\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n env_vars+=(\"$1\")\n shift\n done\n ;;\n --labels)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n LABELS+=(\"--label\" \"$1\")\n shift\n done\n ;;\n --annotations)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ANNOTATIONS+=(\"--annotation\" \"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e/shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--pull=never\")\n UNSHARE_ARGS+=(\"--net\")\n buildah_retries=3\n\n set_proxy\n\n for image in $BASE_IMAGES; do\n if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"; then\n echo \"Failed to pull base image ${image}\"\n exit 1\n fi\n done\n\n unset_proxy\n\n echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n BUILDAH_ARGS+=(\"--cap-add=all\")\n BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n fi\n if [ -n \"$BUILD_TIMESTAMP\" ]; then\n echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n exit 1\n fi\n # but do set it so that we get all the labels/annotations associated with it\n BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/var/workdir/cachi2/cachi2.env\" ]; then\n # Identify the current arch to filter the prefetched content\n PREFETCH_ARCH=\"$(uname -m)\"\n echo \"$PREFETCH_ARCH\" \u003e/shared/prefetch-arch\n\n echo \"Prefetched content will be made available\"\n\n cp -r \"/var/workdir/cachi2\" /tmp/\n chmod -R go+rwX /tmp/cachi2\n\n # In case RPMs were prefetched and this is a multi-arch build,\n # clean up the packages that do not match the architecture being built\n RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n echo \"Removing prefetched RPMs from non-matching architectures\"\n PREFETCH_ARCH=\"$(uname -m)\"\n for path in \"$RPM_PREFETCH_DIR\"/*; do\n if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n echo \"Removing: $path\"\n rm -rf \"$path\"\n else\n echo \"Keeping: $path\"\n fi\n done\n fi\n\n VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n sed -E -i \\\n -e 'H;1h;$!d;x' \\\n -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n @igM' \\\n \"$dockerfile_copy\"\n\n prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n mkdir -p \"$YUM_REPOS_D_FETCHED\"\n if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n fi\n fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n \"--label\" \"architecture=$(uname -m)\"\n \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n FINAL_BASE_IMAGE=$(\n # Get the base image of the final stage\n # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n # Run the find_root_stage() function on the final stage\n # If the final stage is scratch or oci-archive, return empty\n jq -r '.Stages as $all_stages |\n def find_root_stage($stage):\n if $stage.From.Stage then\n find_root_stage($all_stages[$stage.From.Stage.Index])\n else\n $stage\n end;\n\n find_root_stage(.Stages[-1]) |\n if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n empty\n else\n .BaseName\n end' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n )\n if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n set_proxy\n buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null$()\n unset_proxy\n buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n if [[ \"$label\" != \"--label\" ]]; then\n label_pairs+=(\"$label\")\n fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n echo \"\" \u003e\u003e\"$dockerfile_copy\"\n # Always write labels.json to the new standard location\n echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n # Conditionally write to the old location for backward compatibility\n if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n cp \"$containerignore\" \"$ignorefile_copy\"\n {\n echo \"\"\n echo \"!/labels.json\"\n echo \"!/content-sets.json\"\n } \u003e\u003e\"$ignorefile_copy\"\n BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n# to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n# shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n mkdir -p /shared/rhsm/etc/pki/entitlement\n mkdir -p /shared/rhsm/etc/pki/consumer\n\n VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key\n -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z\n -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n echo \"Adding activation key to the build\"\n\n if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n # user is not running registration in the Containerfile: pre-register.\n echo \"Pre-registering with subscription manager.\"\n export RETRY_MAX_TRIES=6\n if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"; then\n echo \"Subscription-manager register failed\"\n exit 1\n fi\n unset RETRY_MAX_TRIES\n trap 'subscription-manager unregister || true' EXIT\n\n # copy generated certificates to /shared volume\n cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e/dev/null; then\n cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n exit 1\n fi\n # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n # (we set the workdir using 'unshare -w')\n context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n # Instrumented builds (SAST) use this step as their base and add some other tools.\n while read -r volume_mount; do\n VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n done \u003c\u003c\u003c\"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n while read -r filename; do\n echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n buildah build\n \"${VOLUME_MOUNTS[@]}\"\n \"${BUILDAH_ARGS[@]}\"\n \"${LABELS[@]}\"\n \"${ANNOTATIONS[@]}\"\n --tls-verify=\"$TLSVERIFY\" --no-cache\n --ulimit nofile=4096:4096\n --http-proxy=false\n -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n echo \"Making copy of sbom-prefetch.json\"\n cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n # Get the image pullspec and filter out a tag if it is not set\n # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n # if buildah did not use that particular image during build because it was skipped\n if [ -n \"$base_image_digest\" ]; then\n echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci:$IMAGE\"\necho \"/shared/$image_name.oci\" \u003e/shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/entitlement", "name": "etc-pki-entitlement" }, { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/additional-secret", "name": "additional-secret" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/proxy-ca-bundle", "name": "proxy-ca-bundle", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "TASKRUN_NAME", "value": "gl-multi-component-child-rexo-on-push-wk66w-build-container" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "push", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n \"$IMAGE\" \\\n \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"; then\n echo \"Failed to push image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile \"/var/workdir/image-digest\" \"$IMAGE\" \\\n \"docker://$IMAGE\"; then\n echo \"Failed to push image to $IMAGE\"\n exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c\"/var/workdir\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n echo -n \"${IMAGE}@\"\n cat \"/var/workdir/image-digest\"\n} \u003e\"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"; then\n echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n [rekorInternalUrl]=REKOR_URL\n [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n [rekorInternalUrl]=rekorExternalUrl\n [fulcioInternalUrl]=fulcioExternalUrl\n [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n if [ -n \"${val}\" ]; then\n echo \"Using fallback ${fallback_key} instead of ${key}\"\n fi\n fi\n if [ -z \"${val}\" ]; then\n missing=\"${missing:+${missing}, }${key}\"\n else\n declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n configured=$((configured + 1))\n fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n echo \"Keyless signing is enabled\"\n\n # Save signing config for upload-sbom step\n for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n envvar=\"${SIGNING_KEY_MAP[$key]}\"\n printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n done \u003e/shared/signing-config.env\n\n echo \"Using Rekor URL: ${REKOR_URL}\"\n echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n echo \"[$(date --utc -Ins)] Sign image\"\n echo \"Signing image ${IMAGE_REF} using keyless signing\"\n if ! retry cosign sign -y \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign image\" \u003e\u00262\n exit 1\n fi\nelif [ \"${configured}\" -eq 0 ]; then\n echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "256m", "memory": "512Mi" }, "requests": { "cpu": "256m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "sbom-syft-generate", "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\ncase $SBOM_TYPE in\ncyclonedx)\n syft_sbom_type=cyclonedx-json@1.5\n ;;\nspdx)\n syft_sbom_type=spdx-json@2.3\n ;;\n*)\n echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n exit 1\n ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n oci-dir:\"${OCI_DIR}\"\n --output \"$syft_sbom_type=/var/workdir/sbom-image.json\"\n)\nsyft_source_args=(\n dir:\"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT\"\n --output \"$syft_sbom_type=/var/workdir/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n echo \"Running syft on the source code\"\n syft \"${syft_source_args[@]}\"\nelse\n echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" }, { "args": [ "--additional-base-images" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.2.0-1774868067@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --additional-base-images)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ADDITIONAL_BASE_IMAGES+=(\"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n generate\n --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-image\n --from-syft \"/var/workdir/sbom-image.json\"\n --image-pullspec \"$IMAGE_URL\"\n --image-digest \"$IMAGE_DIGEST\"\n --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/var/workdir/sbom-source.json\" ]; then\n mobster_args+=(--from-syft \"/var/workdir/sbom-source.json\")\nfi\n\nif [ -f \"/var/workdir/sbom-prefetch.json\" ]; then\n mobster_args+=(--from-hermeto \"/var/workdir/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n", "securityContext": { "runAsUser": 0 }, "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"; then\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n # shellcheck source=/dev/null\n source /shared/signing-config.env\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n # spdx export data as rawstring, we want structured json as cyclonedx\n ATT_SBOM_TYPE=\"spdxjson\"\n fi\n\n echo \"[$(date --utc -Ins)] Sign SBOM\"\n echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign SBOM\" \u003e\u00262\n exit 1\n fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "name": "additional-secret", "secret": { "optional": true, "secretName": "does-not-exist" } }, { "name": "etc-pki-entitlement", "secret": { "optional": true, "secretName": "etc-pki-entitlement" } }, { "name": "oidc-token", "projected": { "sources": [ { "serviceAccountToken": { "audience": "sigstore", "expirationSeconds": 600, "path": "oidc-token" } } ] } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "caching-ca-bundle", "optional": true }, "name": "proxy-ca-bundle" }, { "emptyDir": {}, "name": "shared" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "varlibcontainers" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/e00807ddfa5c59675de2a49103f4321dcd8a9795", "build.appstudio.redhat.com/commit_sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ntnsju", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-push-wk66w", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-child-rexo' into 'multi-component-child-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-child-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/e652c946-2caf-40fa-9711-6b339e40416b/records/283ddfd8-d3ea-4c32-b1b6-be0649222c4e", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/e652c946-2caf-40fa-9711-6b339e40416b", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-d94b3291a9266b84e5e7240894580ab4-4293e8d0bd9700c3-01\"}" }, "creationTimestamp": "2026-05-11T11:38:27Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "build.appstudio.redhat.com/build_type": "docker", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-push-wk66w", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-push-wk66w", "tekton.dev/pipelineRunUID": "e652c946-2caf-40fa-9711-6b339e40416b", "tekton.dev/pipelineTask": "build-image-index", "tekton.dev/task": "build-image-index-min" }, "name": "gl-multi-component-child-rexo-on-push-wk66w-build-image-index", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-push-wk66w", "uid": "e652c946-2caf-40fa-9711-6b339e40416b" } ], "resourceVersion": "80909", "uid": "283ddfd8-d3ea-4c32-b1b6-be0649222c4e" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "IMAGES", "value": [ "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795@sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f" ] }, { "name": "BUILDAH_FORMAT", "value": "docker" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "build-image-index-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index-min:0.3@sha256:fbb362f21e559606f8941cde6a2c0507c8af6cfc8bee88ffc38032e8e80b4b7e" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:38:37Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:38:37Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-child-re8b85bed0fcc29e66114fe481c7be4c3c-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "fbb362f21e559606f8941cde6a2c0507c8af6cfc8bee88ffc38032e8e80b4b7e" }, "entryPoint": "build-image-index-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index-min" } }, "results": [ { "name": "IMAGES", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f" }, { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795" } ], "spanContext": { "traceparent": "00-d94b3291a9266b84e5e7240894580ab4-4293e8d0bd9700c3-01" }, "startTime": "2026-05-11T11:38:27Z", "steps": [ { "container": "step-build", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "build", "provenance": {}, "terminated": { "containerID": "cri-o://64fe3a1e00330554e07d143ae5aa1cb18552a9ce8f6b0199667473b8e9770b9a", "exitCode": 0, "finishedAt": "2026-05-11T11:38:34Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:32Z" }, "terminationReason": "Completed" }, { "container": "step-create-sbom", "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094", "name": "create-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://5c635ad256abf0fab317a729ef72b1b0a5d6fc4f844a9e306087e632953457da", "exitCode": 0, "finishedAt": "2026-05-11T11:38:34Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:34Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://830e582221806842d1d2aab7aebbe5ac54cd4475606b5528c8f23c0b92b5c4f9", "exitCode": 0, "finishedAt": "2026-05-11T11:38:36Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:34Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "This takes existing Image Manifests and combines them in an Image Index.", "params": [ { "description": "The target image and tag where the image will be pushed to.", "name": "IMAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "description": "List of Image Manifests to be referenced by the Image Index", "name": "IMAGES", "type": "array" }, { "default": "true", "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.", "name": "ALWAYS_BUILD_INDEX", "type": "string" }, { "default": "vfs", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": "false", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "List of all referenced image manifests", "name": "IMAGES", "type": "string" }, { "description": "Image reference of the built image containing both the repository and the digest", "name": "IMAGE_REF", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "vfs" } ], "volumeMounts": [ { "mountPath": "/index-build-data", "name": "shared-dir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795@sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/konflux-build-cli:latest@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "build", "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\n\necho \"Running konflux-build-cli\"\nif ! konflux-build-cli image build-image-index \\\n --image \"$IMAGE\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --buildah-format \"$BUILDAH_FORMAT\" \\\n --always-build-index=\"$ALWAYS_BUILD_INDEX\" \\\n --additional-tags \"gl-multi-component-child-rexo-on-push-wk66w-build-image-index\" \\\n --output-manifest-path \"$MANIFEST_DATA_FILE\" \\\n --result-path-image-digest \"/tekton/results/IMAGE_DIGEST\" \\\n --result-path-image-url \"/tekton/results/IMAGE_URL\" \\\n --result-path-image-ref \"/tekton/results/IMAGE_REF\" \\\n --result-path-images \"/tekton/results/IMAGES\" \\\n --images \"$@\"; then\n echo \"Failed to build image index\"\n exit 1\nfi\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 } }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094", "name": "create-sbom", "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-index\n --index-image-pullspec \"$IMAGE_URL\"\n --index-image-digest \"$IMAGE_DIGEST\"\n --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 } } ], "volumes": [ { "emptyDir": {}, "name": "shared-dir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/e00807ddfa5c59675de2a49103f4321dcd8a9795", "build.appstudio.redhat.com/commit_sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ntnsju", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-push-wk66w", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-child-rexo' into 'multi-component-child-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-child-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/e652c946-2caf-40fa-9711-6b339e40416b/records/3f2a03d2-a335-4edf-b2ef-67c55cb65b1e", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/e652c946-2caf-40fa-9711-6b339e40416b", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "virus, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-d94b3291a9266b84e5e7240894580ab4-8edfa06503003e49-01\"}" }, "creationTimestamp": "2026-05-11T11:38:37Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-push-wk66w", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-push-wk66w", "tekton.dev/pipelineRunUID": "e652c946-2caf-40fa-9711-6b339e40416b", "tekton.dev/pipelineTask": "clamav-scan", "tekton.dev/task": "clamav-scan-min" }, "name": "gl-multi-component-child-rexo-on-push-wk66w-clamav-scan", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-push-wk66w", "uid": "e652c946-2caf-40fa-9711-6b339e40416b" } ], "resourceVersion": "82405", "uid": "3f2a03d2-a335-4edf-b2ef-67c55cb65b1e" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "clamav-scan-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min:0.3@sha256:589e34f73d310aa993c9761d8b78265a904a121028bda2809d8a2d0500454bd8" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:39:46Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:39:46Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-child-rexo-on-push-wk66w-clamav-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "589e34f73d310aa993c9761d8b78265a904a121028bda2809d8a2d0500454bd8" }, "entryPoint": "clamav-scan-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795\", \"digests\": [\"sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"timestamp\":\"1778499583\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n" } ], "spanContext": { "traceparent": "00-d94b3291a9266b84e5e7240894580ab4-8edfa06503003e49-01" }, "startTime": "2026-05-11T11:38:37Z", "steps": [ { "container": "step-extract-and-scan-image", "imageID": "quay.io/konflux-ci/clamav-db@sha256:83085885f6c81f58dc642c8be1e2a8a3c46410ff0b084005a13b20078485405d", "name": "extract-and-scan-image", "provenance": {}, "terminated": { "containerID": "cri-o://75e34413bd17bc5ef5f9e64915716038c4a68541c0f87cf67bd4b76754b9c44d", "exitCode": 0, "finishedAt": "2026-05-11T11:39:43Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795\\\", \\\"digests\\\": [\\\"sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1778499583\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:42Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "upload", "provenance": {}, "terminated": { "containerID": "cri-o://c5f4df22ee16c730ce3c53db85ddba3ebbaaa563f205bb143e010b627d6b1751", "exitCode": 0, "finishedAt": "2026-05-11T11:39:45Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795\\\", \\\"digests\\\": [\\\"sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1778499583\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:39:43Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "Image arch.", "name": "image-arch", "type": "string" }, { "default": "", "description": "unused", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "8", "description": "Maximum number of threads clamd runs.", "name": "clamd-max-threads", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-upload", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "512m", "memory": "3Gi" }, "requests": { "cpu": "512m", "memory": "3Gi" } }, "env": [ { "name": "HOME", "value": "/work" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795" }, { "name": "IMAGE_DIGEST", "value": "sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f" }, { "name": "IMAGE_ARCH" }, { "name": "MAX_THREADS", "value": "8" } ], "image": "quay.io/konflux-ci/clamav-db:latest", "name": "extract-and-scan-image", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n mkdir -p ~/.docker\n echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n# $1: destination - path to the content to scan\n# $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n# $3: digest - digest to add to digests_processed array\n# $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n local destination=\"$1\"\n local suffix=\"$2\"\n local digest=\"$3\"\n local scan_message=\"${4:-Scanning content}\"\n\n db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n echo \"$scan_message. This operation may take a while.\"\n clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n digests_processed+=(\"\\\"$digest\\\"\")\n\n if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n # OPA/EC requires structured data input, add clamAV log into json\n jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o json \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o appstudio \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n\n if [ -n \"$raw_manifest\" ]; then\n media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n # Determine if this is an OCI artifact (not a container image)\n # OCI artifacts typically have:\n # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n # - An explicit artifactType field that is not a container image type\n is_oci_artifact=false\n\n # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n is_oci_artifact=true\n fi\n\n # Check if artifactType is set and is not a container image type\n if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n is_oci_artifact=true\n fi\n\n if [ \"$is_oci_artifact\" = true ]; then\n # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n # This looks like a container image manifest, but get_image_manifests failed\n echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n note=\"Task clamav-scan-min failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n else\n # Likely an OCI artifact with non-standard media type\n echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n fi\n else\n echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n note=\"Task clamav-scan-min failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n echo \"Detected container image. Processing image manifests.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n # Proceed only if a specific arch is provided.\n # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n if [ -n \"$IMAGE_ARCH\" ]; then\n arch=\"${IMAGE_ARCH#*/}\"\n if [ \"${arch}\" = \"x86_64\" ]; then\n arch=\"amd64\"\n fi\n\n # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n arch=\"amd64\"\n ;;\n esac\n\n image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n fi\n\n while read -r arch arch_sha; do\n destination=$(echo content-$arch)\n mkdir -p \"$destination\"\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n if [ $? -ne 0 ]; then\n echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n exit 0\n fi\n\n # Scan and process container image for this architecture\n scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n {\n \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n \"namespace\" : $item.namespace,\n \"successes\" : (.successes + $item.successes),\n \"failures\" : (.failures + $item.failures),\n \"warnings\" : (.warnings + $item.warnings),\n \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_UPLOAD", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795" }, { "name": "IMAGE_DIGEST", "value": "sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n echo \"Upload skipped by parameter.\"\n exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n MEDIA_TYPE=text/vnd.clamav\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n MEDIA_TYPE=application/vnd.konflux.test_output+json\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n echo \"No files found. Skipping upload.\"\n exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n", "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" } ], "volumes": [ { "emptyDir": {}, "name": "dbfolder" }, { "emptyDir": {}, "name": "work" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/e00807ddfa5c59675de2a49103f4321dcd8a9795", "build.appstudio.redhat.com/commit_sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ntnsju", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-push-wk66w", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-child-rexo' into 'multi-component-child-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-child-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/e652c946-2caf-40fa-9711-6b339e40416b/records/4dba017e-489a-4b92-90d9-e2f69b998f8a", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/e652c946-2caf-40fa-9711-6b339e40416b", "results.tekton.dev/stored": "true", "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone oci trusted artifacts", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-d94b3291a9266b84e5e7240894580ab4-ce378b24af8d1f7b-01\"}" }, "creationTimestamp": "2026-05-11T11:35:36Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-push-wk66w", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-push-wk66w", "tekton.dev/pipelineRunUID": "e652c946-2caf-40fa-9711-6b339e40416b", "tekton.dev/pipelineTask": "clone-repository", "tekton.dev/task": "git-clone-oci-ta-min" }, "name": "gl-multi-component-child-rexo-on-push-wk66w-clone-repository", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-push-wk66w", "uid": "e652c946-2caf-40fa-9711-6b339e40416b" } ], "resourceVersion": "74634", "uid": "4dba017e-489a-4b92-90d9-e2f69b998f8a" }, "spec": { "params": [ { "name": "url", "value": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv" }, { "name": "revision", "value": "e00807ddfa5c59675de2a49103f4321dcd8a9795" }, { "name": "ociStorage", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795.git" }, { "name": "ociArtifactExpiresAfter", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "git-clone-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min:0.1@sha256:ad1487d03967da7e9e032ba47b094ebf7e46c8e6f5d47faa9f8c15e1617fb208" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "basic-auth", "secret": { "secretName": "pac-gitauth-ntnsju" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:35:43Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:35:43Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-child-rebd7d8f1e0eb39e37e33cfb8b9e0cba11-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "ad1487d03967da7e9e032ba47b094ebf7e46c8e6f5d47faa9f8c15e1617fb208" }, "entryPoint": "git-clone-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min" } }, "results": [ { "name": "CHAINS-GIT_COMMIT", "type": "string", "value": "e00807ddfa5c59675de2a49103f4321dcd8a9795" }, { "name": "CHAINS-GIT_URL", "type": "string", "value": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv" }, { "name": "commit", "type": "string", "value": "e00807ddfa5c59675de2a49103f4321dcd8a9795" }, { "name": "commit-timestamp", "type": "string", "value": "1778499324" }, { "name": "short-commit", "type": "string", "value": "e00807d" }, { "name": "url", "type": "string", "value": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:a4f328ee1cddfdfbb1ae4fed7ed47ecb552416010c79ba24c77f0145475ac55d" } ], "spanContext": { "traceparent": "00-d94b3291a9266b84e5e7240894580ab4-ce378b24af8d1f7b-01" }, "startTime": "2026-05-11T11:35:36Z", "steps": [ { "container": "step-clone", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "provenance": {}, "terminated": { "containerID": "cri-o://d7913bff2bab19e74bfcd58931e8840140587e87dd8b2ced17056d2dc555d53b", "exitCode": 0, "finishedAt": "2026-05-11T11:35:41Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-child-twjokv\",\"type\":1},{\"key\":\"commit\",\"value\":\"e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778499324\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"e00807d\",\"type\":1},{\"key\":\"url\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-child-twjokv\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:35:40Z" }, "terminationReason": "Completed" }, { "container": "step-symlink-check", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "provenance": {}, "terminated": { "containerID": "cri-o://7e9810f20901c721751d033658bd0f7c0166df480a47fb3bc4b741091496fa39", "exitCode": 0, "finishedAt": "2026-05-11T11:35:42Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-child-twjokv\",\"type\":1},{\"key\":\"commit\",\"value\":\"e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778499324\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"e00807d\",\"type\":1},{\"key\":\"url\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-child-twjokv\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:35:41Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "create-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://17d66c9897d021627980088505148cf96009fdbd431c4494396ff6a2d32f6ac0", "exitCode": 0, "finishedAt": "2026-05-11T11:35:43Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-child-twjokv\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:a4f328ee1cddfdfbb1ae4fed7ed47ecb552416010c79ba24c77f0145475ac55d\",\"type\":1},{\"key\":\"commit\",\"value\":\"e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778499324\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"e00807d\",\"type\":1},{\"key\":\"url\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-child-twjokv\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:35:42Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted artifact in the provided OCI repository.", "params": [ { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" } ], "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "PARAM_URL", "value": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv" }, { "name": "PARAM_REVISION", "value": "e00807ddfa5c59675de2a49103f4321dcd8a9795" }, { "name": "PARAM_REFSPEC" }, { "name": "PARAM_SUBMODULES", "value": "true" }, { "name": "PARAM_SUBMODULE_PATHS" }, { "name": "PARAM_DEPTH", "value": "1" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "7" }, { "name": "PARAM_SSL_VERIFY", "value": "true" }, { "name": "PARAM_HTTP_PROXY" }, { "name": "PARAM_HTTPS_PROXY" }, { "name": "PARAM_NO_PROXY" }, { "name": "PARAM_VERBOSE", "value": "false" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES" }, { "name": "PARAM_USER_HOME", "value": "/tekton/home" }, { "name": "PARAM_FETCH_TAGS", "value": "false" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "false" }, { "name": "PARAM_TARGET_BRANCH", "value": "main" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL" }, { "name": "PARAM_MERGE_SOURCE_DEPTH" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "false" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "true" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH", "value": "/workspace/basic-auth" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ]; then\n set -x\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ]; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e\"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e\"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ]; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n\n if ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit 1\n fi\n\n # Check if there are changes staged for commit\n if git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\n else\n echo \"Merge successful (no conflicts found), committing...\"\n if ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit 1\n fi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e\"/tekton/results/merged_sha\"\n fi\n\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e\"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e\"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ]; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "true" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink; do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ]; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ]; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "args": [ "create", "--store", "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795.git", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "create-trusted-artifact", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/e00807ddfa5c59675de2a49103f4321dcd8a9795", "build.appstudio.redhat.com/commit_sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ntnsju", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-push-wk66w", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-child-rexo' into 'multi-component-child-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-child-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/e652c946-2caf-40fa-9711-6b339e40416b/records/459c9504-e08e-4544-a0eb-17be95cc35fd", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/e652c946-2caf-40fa-9711-6b339e40416b", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-d94b3291a9266b84e5e7240894580ab4-d1b72a2015d1019d-01\"}" }, "creationTimestamp": "2026-05-11T11:35:31Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-push-wk66w", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-push-wk66w", "tekton.dev/pipelineRunUID": "e652c946-2caf-40fa-9711-6b339e40416b", "tekton.dev/pipelineTask": "init", "tekton.dev/task": "init" }, "name": "gl-multi-component-child-rexo-on-push-wk66w-init", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-push-wk66w", "uid": "e652c946-2caf-40fa-9711-6b339e40416b" } ], "resourceVersion": "73932", "uid": "459c9504-e08e-4544-a0eb-17be95cc35fd" }, "spec": { "params": [ { "name": "enable-cache-proxy", "value": "false" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "init" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:35:35Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:35:35Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-child-rexo-on-push-wk66w-init-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08" }, "entryPoint": "init", "uri": "quay.io/konflux-ci/tekton-catalog/task-init" } }, "results": [ { "name": "http-proxy", "type": "string", "value": "" }, { "name": "no-proxy", "type": "string", "value": "" } ], "spanContext": { "traceparent": "00-d94b3291a9266b84e5e7240894580ab4-d1b72a2015d1019d-01" }, "startTime": "2026-05-11T11:35:31Z", "steps": [ { "container": "step-init", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "init", "provenance": {}, "terminated": { "containerID": "cri-o://3d172b5f357dd2b6df919072600ef77a68f7bed4302ddcd0acc71169fa394a01", "exitCode": 0, "finishedAt": "2026-05-11T11:35:35Z", "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:35:34Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.", "params": [ { "default": "false", "description": "Enable cache proxy configuration", "name": "enable-cache-proxy", "type": "string" } ], "results": [ { "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)", "name": "http-proxy", "type": "string" }, { "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)", "name": "no-proxy", "type": "string" } ], "steps": [ { "args": [ "--enable", "false" ], "command": [ "konflux-build-cli", "config", "cache-proxy" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" }, { "name": "DEFAULT_HTTP_PROXY", "value": "squid.caching.svc.cluster.local:3128" }, { "name": "DEFAULT_NO_PROXY", "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai" }, { "name": "HTTP_PROXY_RESULTS_PATH", "value": "/tekton/results/http-proxy" }, { "name": "NO_PROXY_RESULTS_PATH", "value": "/tekton/results/no-proxy" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "init" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/e00807ddfa5c59675de2a49103f4321dcd8a9795", "build.appstudio.redhat.com/commit_sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ntnsju", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-push-wk66w", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-child-rexo' into 'multi-component-child-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-child-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/e652c946-2caf-40fa-9711-6b339e40416b/records/e806f2de-779e-4aa3-8c18-e142a9756337", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/e652c946-2caf-40fa-9711-6b339e40416b", "results.tekton.dev/stored": "true", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-d94b3291a9266b84e5e7240894580ab4-860345f1f0f2316e-01\"}" }, "creationTimestamp": "2026-05-11T11:38:37Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-push-wk66w", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-push-wk66w", "tekton.dev/pipelineRunUID": "e652c946-2caf-40fa-9711-6b339e40416b", "tekton.dev/pipelineTask": "rpms-signature-scan", "tekton.dev/task": "rpms-signature-scan" }, "name": "gl-multi-component-child-rexo-on-push-wk66w-rpms-signature-scan", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-push-wk66w", "uid": "e652c946-2caf-40fa-9711-6b339e40416b" } ], "resourceVersion": "81317", "uid": "e806f2de-779e-4aa3-8c18-e142a9756337" }, "spec": { "params": [ { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795" }, { "name": "image-digest", "value": "sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "rpms-signature-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:cfdb76c67f27bc498132431f5a24fbc17dac1981d6f6e3da5cf5964ac5abdd20" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:38:51Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:38:51Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-child-refcb4c48f9309f7bac66a0f729f89f7a2-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "cfdb76c67f27bc498132431f5a24fbc17dac1981d6f6e3da5cf5964ac5abdd20" }, "entryPoint": "rpms-signature-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795\", \"digests\": [\"sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\"]}}\n" }, { "name": "RPMS_DATA", "type": "string", "value": "{\"keys\": {\"199e2f91fd431d51\": 102, \"unsigned\": 0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:38:51+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-d94b3291a9266b84e5e7240894580ab4-860345f1f0f2316e-01" }, "startTime": "2026-05-11T11:38:37Z", "steps": [ { "container": "step-rpms-signature-scan", "imageID": "quay.io/konflux-ci/tools@sha256:4bb1feaad4cb4735f8a5387e32691dfc1fe6097d28d56c23895866f88b211e28", "name": "rpms-signature-scan", "provenance": {}, "terminated": { "containerID": "cri-o://d87b3fb2e3227185d0d4aadcbdc025bc1e767e26e01555f3f1c187237fe619f5", "exitCode": 0, "finishedAt": "2026-05-11T11:38:50Z", "reason": "Completed", "startedAt": "2026-05-11T11:38:42Z" }, "terminationReason": "Completed" }, { "container": "step-output-results", "imageID": "quay.io/konflux-ci/konflux-test@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e", "name": "output-results", "provenance": {}, "terminated": { "containerID": "cri-o://e0987ed61949fa20cdbe21039b2be0489474d275e55e474943f62fe9c2bd4112", "exitCode": 0, "finishedAt": "2026-05-11T11:38:51Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795\\\", \\\"digests\\\": [\\\"sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 102, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:38:51+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:51Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans RPMs in an image and provide information about RPMs signatures.", "params": [ { "description": "Image URL", "name": "image-url", "type": "string" }, { "description": "Image digest to scan", "name": "image-digest", "type": "string" }, { "default": "/tmp", "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n", "name": "workdir", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Information about signed and unsigned RPMs", "name": "RPMS_DATA", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "200m", "memory": "256Mi" }, "requests": { "cpu": "200m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795" }, { "name": "IMAGE_DIGEST", "value": "sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f" }, { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/tools@sha256:b78a949c4a986724ae8e768ca315fc35bae5e0553de5cd2edd468d6a7d4b7e0f", "name": "rpms-signature-scan", "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n --image-url \"${IMAGE_URL}\" \\\n --image-digest \"${IMAGE_DIGEST}\" \\\n --workdir \"${WORKDIR}\" \\\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "50m", "memory": "32Mi" }, "requests": { "cpu": "50m", "memory": "32Mi" } }, "env": [ { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.53@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e", "name": "output-results", "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" } ] } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/e00807ddfa5c59675de2a49103f4321dcd8a9795", "build.appstudio.redhat.com/commit_sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ntnsju", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-push-wk66w", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-child-rexo' into 'multi-component-child-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-child-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/e652c946-2caf-40fa-9711-6b339e40416b/records/00321480-8362-4ba0-9b74-0b2712c92e45", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/e652c946-2caf-40fa-9711-6b339e40416b", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-d94b3291a9266b84e5e7240894580ab4-0594306905bcdfc7-01\"}" }, "creationTimestamp": "2026-05-11T11:38:37Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-push-wk66w", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-push-wk66w", "tekton.dev/pipelineRunUID": "e652c946-2caf-40fa-9711-6b339e40416b", "tekton.dev/pipelineTask": "sast-shell-check", "tekton.dev/task": "sast-shell-check-oci-ta-min" }, "name": "gl-multi-component-child-rexo-on-push-wk66w-sast-shell-check", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-push-wk66w", "uid": "e652c946-2caf-40fa-9711-6b339e40416b" } ], "resourceVersion": "81382", "uid": "00321480-8362-4ba0-9b74-0b2712c92e45" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:a4f328ee1cddfdfbb1ae4fed7ed47ecb552416010c79ba24c77f0145475ac55d" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "sast-shell-check-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min:0.1@sha256:ecfae10944b45b91988ddc6311c7232bf2c98ba73c5fc6261861ecfd33434db0" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:38:55Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:38:55Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-child-rec7a02f314016a4758389b51a0c57b753-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "ecfae10944b45b91988ddc6311c7232bf2c98ba73c5fc6261861ecfd33434db0" }, "entryPoint": "sast-shell-check-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:38:53+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-d94b3291a9266b84e5e7240894580ab4-0594306905bcdfc7-01" }, "startTime": "2026-05-11T11:38:37Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:0cf6c1640011bd02c158e2c4fe9f8c4656b9aa751c08fc879d0a99bfb87d0789", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://7efa2258f5f7a7ad595db32ef8cb22e553d48e5d83cc2c1b6f60750e7524287e", "exitCode": 0, "finishedAt": "2026-05-11T11:38:42Z", "reason": "Completed", "startedAt": "2026-05-11T11:38:42Z" }, "terminationReason": "Completed" }, { "container": "step-sast-shell-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "sast-shell-check", "provenance": {}, "terminated": { "containerID": "cri-o://547bfc6e3e3aa210bc55850c58cf7b35affc6e38fd30e584b57177c581532cdb", "exitCode": 0, "finishedAt": "2026-05-11T11:38:53Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:38:53+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:42Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:6504e165b4e1411ca55069091a989fd27722a64ee0e3ec9fa7be5cf31d8b595f", "name": "upload", "provenance": {}, "terminated": { "containerID": "cri-o://eca13de31c5ce32f0d4ac72ab5151bcbecfe0ce16cdac956592d61e83da16c02", "exitCode": 0, "finishedAt": "2026-05-11T11:38:54Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:38:53+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:53Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "true", "description": "Whether to include important findings only", "name": "IMP_FINDINGS_ONLY", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Image digest to report findings for.", "name": "image-digest", "type": "string" }, { "default": "", "description": "Image URL.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:a4f328ee1cddfdfbb1ae4fed7ed47ecb552416010c79ba24c77f0145475ac55d=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "128m", "memory": "256Mi" }, "requests": { "cpu": "128m", "memory": "256Mi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "IMP_FINDINGS_ONLY", "value": "true" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-shell-check", "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/var/workdir/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c\"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n resolved_path=$(realpath -m \"$potential_path\")\n\n # ensure resolved path is still within SOURCE_CODE_DIR\n if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n ALL_TARGETS+=(\"$resolved_path\")\n else\n echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n exit 1\n fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n read -r quota period \u003c/sys/fs/cgroup/cpu.max\n if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n export SC_JOBS=$(((quota + period - 1) / period))\n echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n --mode=json\n --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n # predefined list of shellcheck important findings\n CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n CSGREP_OPTS+=(\n --event=\"$CSGREP_EVENT_FILTER\"\n )\nelse\n CSGREP_OPTS+=(\n --event=\"error|warning\"\n )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e\"$OUTPUT_FILE\"; then\n echo \"Error occurred while running 'run-shellcheck.sh'\"\n note=\"Task sast-shell-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e\"${OUTPUT_FILE}.filtered\" 2\u003e\"${OUTPUT_FILE}.error\"\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n else\n mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003eshellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check-oci-ta-min\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795" }, { "name": "IMAGE_DIGEST", "value": "sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n echo 'No image-url or image-digest param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n # Determine the media type based on the file extension\n if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n MEDIA_TYPE=\"application/json\"\n else\n MEDIA_TYPE=\"application/sarif+json\"\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"$IMAGE_URL\" \u003e\"$HOME/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"; then\n echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n exit 1\n fi\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/e00807ddfa5c59675de2a49103f4321dcd8a9795", "build.appstudio.redhat.com/commit_sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ntnsju", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-push-wk66w", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-child-rexo' into 'multi-component-child-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-child-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/e652c946-2caf-40fa-9711-6b339e40416b/records/f5ea63f1-0394-474e-be2b-dce99d3aa4f1", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/e652c946-2caf-40fa-9711-6b339e40416b", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-d94b3291a9266b84e5e7240894580ab4-815bd9ec137794e1-01\"}" }, "creationTimestamp": "2026-05-11T11:38:37Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-push-wk66w", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-push-wk66w", "tekton.dev/pipelineRunUID": "e652c946-2caf-40fa-9711-6b339e40416b", "tekton.dev/pipelineTask": "sast-unicode-check", "tekton.dev/task": "sast-unicode-check-oci-ta-min" }, "name": "gl-multi-component-child-rexo-on-push-wk66w-sast-unicode-check", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-push-wk66w", "uid": "e652c946-2caf-40fa-9711-6b339e40416b" } ], "resourceVersion": "81121", "uid": "f5ea63f1-0394-474e-be2b-dce99d3aa4f1" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:a4f328ee1cddfdfbb1ae4fed7ed47ecb552416010c79ba24c77f0145475ac55d" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "sast-unicode-check-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min:0.4@sha256:96badf0b06d83fc1e7cf50048f94091e257819ee537f063830541f9c97295200" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:38:45Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:38:45Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-child-rea65ede7a6468694ce35c7a97a20b3cfc-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "96badf0b06d83fc1e7cf50048f94091e257819ee537f063830541f9c97295200" }, "entryPoint": "sast-unicode-check-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:38:43+00:00\",\"note\":\"Task sast-unicode-check-oci-ta-min success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-d94b3291a9266b84e5e7240894580ab4-815bd9ec137794e1-01" }, "startTime": "2026-05-11T11:38:37Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:0cf6c1640011bd02c158e2c4fe9f8c4656b9aa751c08fc879d0a99bfb87d0789", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://ccfea3eed1a749aeb322654a1585b52895f896484805aba801ccc469cd6f759f", "exitCode": 0, "finishedAt": "2026-05-11T11:38:42Z", "reason": "Completed", "startedAt": "2026-05-11T11:38:42Z" }, "terminationReason": "Completed" }, { "container": "step-sast-unicode-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "sast-unicode-check", "provenance": {}, "terminated": { "containerID": "cri-o://0d3c5269a13bed812d6c42d7d30a3fa52f5bebea414e0d42d89823b3042d42fd", "exitCode": 0, "finishedAt": "2026-05-11T11:38:43Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:38:43+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta-min success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:42Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:6504e165b4e1411ca55069091a989fd27722a64ee0e3ec9fa7be5cf31d8b595f", "name": "upload", "provenance": {}, "terminated": { "containerID": "cri-o://057364e8243af7cf401c3fdfd109d80bd3b2dd2608785986ba8ef21078972a20", "exitCode": 0, "finishedAt": "2026-05-11T11:38:44Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:38:43+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta-min success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:43Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans source code for non-printable unicode characters in all text files.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "-p bidi -v -d -t", "description": "arguments for find-unicode-control command.", "name": "FIND_UNICODE_CONTROL_ARGS", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "description": "Image digest used for ORAS upload.", "name": "image-digest", "type": "string" }, { "description": "Image URL used for ORAS upload.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo@sha256:a4f328ee1cddfdfbb1ae4fed7ed47ecb552416010c79ba24c77f0145475ac55d=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "128m", "memory": "256Mi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "FIND_UNICODE_CONTROL_ARGS", "value": "-p bidi -v -d -t" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_CODE_DIR", "value": "/var/workdir" }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-unicode-check", "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nOLD_IFS=\"$IFS\"\nIFS=\",\"\nfor d in $TARGET_DIRS; do\n ALL_TARGETS+=(\"${SOURCE_CODE_DIR}/source/${d}\")\ndone\nIFS=\"$OLD_IFS\"\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${ALL_TARGETS[@]}\" \\\n \u003eraw_sast_unicode_check_out.txt \\\n 2\u003eraw_sast_unicode_check_out.log ||\n FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n echo \"Failed to run find-unicode-control command\" \u003e\u00262\n cat raw_sast_unicode_check_out.log\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n --mode=json\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"${SCAN_PROP}\"\n --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003eprocessed_sast_unicode_check_out.json 2\u003eprocessed_sast_unicode_check_out.err; then\n echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n cat processed_sast_unicode_check_out.err\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # Build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n # Append --record-excluded option if RECORD_EXCLUDED is true\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003esast_unicode_check_out.json 2\u003esast_unicode_check_out.error\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n else\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003esast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n note=\"Task sast-unicode-check-oci-ta-min success: No finding was detected\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s sast_unicode_check_out.sarif ]]; then\n note=\"Task sast-unicode-check-oci-ta-min success: Some findings were detected, but filtered by known false positive\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n echo \"sast-unicode-check test failed because of the following issues:\"\n cat sast_unicode_check_out.json\n TEST_OUTPUT=\n parse_test_output \"sast-unicode-check-oci-ta-min\" sarif sast_unicode_check_out.sarif || true\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795" }, { "name": "IMAGE_DIGEST", "value": "sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n echo 'No image-url param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n MEDIA_TYPE=application/json\n else\n MEDIA_TYPE=application/sarif+json\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"${IMAGE_URL}\" \u003e\"${HOME}/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/tree/e00807ddfa5c59675de2a49103f4321dcd8a9795", "build.appstudio.redhat.com/commit_sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "build.appstudio.redhat.com/target_branch": "multi-component-child-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-child-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ntnsju", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-child-rexo-on-push-wk66w", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-child-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-child-rexo' into 'multi-component-child-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv/-/commit/e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-child-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090818", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-child-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090818", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/e652c946-2caf-40fa-9711-6b339e40416b/records/100a4c71-b1f7-4672-a1ef-366c4c68fd9c", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-child-twjokv\",\"commit\":\"e00807ddfa5c59675de2a49103f4321dcd8a9795\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/e652c946-2caf-40fa-9711-6b339e40416b", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-d94b3291a9266b84e5e7240894580ab4-3daa01fc65f420cd-01\"}" }, "creationTimestamp": "2026-05-11T11:38:37Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-child-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-child-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-child-rexo", "pipelinesascode.tekton.dev/sha": "e00807ddfa5c59675de2a49103f4321dcd8a9795", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-child-rexo-on-push-wk66w", "tekton.dev/pipelineRun": "gl-multi-component-child-rexo-on-push-wk66w", "tekton.dev/pipelineRunUID": "e652c946-2caf-40fa-9711-6b339e40416b", "tekton.dev/pipelineTask": "tpa-scan", "tekton.dev/task": "tpa-scan" }, "name": "gl-multi-component-child-rexo-on-push-wk66w-tpa-scan", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-child-rexo-on-push-wk66w", "uid": "e652c946-2caf-40fa-9711-6b339e40416b" } ], "resourceVersion": "81337", "uid": "100a4c71-b1f7-4672-a1ef-366c4c68fd9c" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-child-rexo", "taskRef": { "params": [ { "name": "name", "value": "tpa-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan:0.1@sha256:68b6e188f742da92af9c40a794fd021a65d49b419d1e36096277b2d9ebbe1afc" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:38:53Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:38:53Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-child-rexo-on-push-wk66w-tpa-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "68b6e188f742da92af9c40a794fd021a65d49b419d1e36096277b2d9ebbe1afc" }, "entryPoint": "tpa-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795\", \"digests\": [\"sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\"]}}\n" }, { "name": "REPORTS", "type": "string", "value": "{\"sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\":\"sha256:f714c11fd991992444734e31070707f09af403411d0da4ceeb3905c24d9a313b\"}\n" }, { "name": "SCAN_OUTPUT", "type": "string", "value": "{\"vulnerabilities\":{\"critical\":6,\"high\":46,\"medium\":104,\"low\":14,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:38:52+00:00\",\"note\":\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-d94b3291a9266b84e5e7240894580ab4-3daa01fc65f420cd-01" }, "startTime": "2026-05-11T11:38:37Z", "steps": [ { "container": "step-get-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "get-vulnerabilities", "provenance": {}, "terminated": { "containerID": "cri-o://ad88a0678e3ce11d912c6e849e21ac2572a2aee84b8e26279e06d3138c8dbe2d", "exitCode": 0, "finishedAt": "2026-05-11T11:38:44Z", "reason": "Completed", "startedAt": "2026-05-11T11:38:42Z" }, "terminationReason": "Completed" }, { "container": "step-oci-attach-report", "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "provenance": {}, "terminated": { "containerID": "cri-o://6fd11278fa08945ce6694f88f6ccc037ac0a799883f707e1a3f7f56426206de0", "exitCode": 0, "finishedAt": "2026-05-11T11:38:46Z", "reason": "Completed", "startedAt": "2026-05-11T11:38:44Z" }, "terminationReason": "Completed" }, { "container": "step-conftest-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "conftest-vulnerabilities", "provenance": {}, "terminated": { "containerID": "cri-o://573257b1357e65f206320eda5e5d8dd1d95907514fac51f3d6691e522f45086c", "exitCode": 0, "finishedAt": "2026-05-11T11:38:52Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795\\\", \\\"digests\\\": [\\\"sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f\\\":\\\"sha256:f714c11fd991992444734e31070707f09af403411d0da4ceeb3905c24d9a313b\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":6,\\\"high\\\":46,\\\"medium\\\":104,\\\"low\\\":14,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:38:52+00:00\\\",\\\"note\\\":\\\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:47Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans container images for vulnerabilities using the TPA vulnerability scanner, by comparing the components of container image against the vulnerability databases.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "The platform which will be scanned by this task.", "name": "image-platform", "type": "string" }, { "default": "https://exhort.stage.devshift.net/api/v5/analysis", "description": "The url of the TPA instance which will be used for scanning.", "name": "tpa-url", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-oci-attach-report", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "TPA scan result.", "name": "SCAN_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" }, { "description": "Mapping of image digests to report digests", "name": "REPORTS", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "computeResources": { "limits": { "cpu": "800m", "memory": "2Gi" }, "requests": { "cpu": "800m", "memory": "2Gi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795" }, { "name": "IMAGE_DIGEST", "value": "sha256:44dec67bf9172c75785225ecedb91bdc0b5f449a0748e3732a396b830df3b31f" }, { "name": "IMAGE_PLATFORM" }, { "name": "TPA_URL", "value": "https://exhort.stage.devshift.net/api/v5/analysis" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "imagePullPolicy": "Always", "name": "get-vulnerabilities", "script": "#!/usr/bin/env bash\n\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\necho \"Inspecting raw image manifest $imageanddigest.\"\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\necho \"Selecting auth\"\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${imageanddigest}\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n done\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task tpa-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n\ntpa_scan() {\n local sbom_file=${1}\n local arch=${2}\n local sbom_format\n\n sbom_format=$(jq -r 'if .bomFormat == \"CycloneDX\" then \"cyclonedx\" else \"spdx\" end' \u003c \"${sbom_file}\")\n retry curl -f --show-error -L -X POST -T \"${sbom_file}\" -H \"Content-Type:application/vnd.${sbom_format}+json\" \"${TPA_URL}\" | tee \"tpa-report-${arch}.json\";\n}\n\nrun_tpa_on_arch() {\n local arch=\"$1\"\n local sha_file=\"image-manifest-${arch}.sha\"\n local sbom_file_path=\"/tmp/sbom-${arch}.json\"\n local arch_sha=\"\"\n\n if [ -e \"${sha_file}\" ]; then\n arch_sha=$(\u003c\"${sha_file}\")\n arch_imageanddigest=$(echo -n \"${imagewithouttag}@${arch_sha}\")\n else\n echo \"Couldn't find the SHA file for the requested architecture.\"\n exit 1\n fi\n\n echo \"Selecting auth\"\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${arch_imageanddigest}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n # Attempt to download the SBOM file via cosign\n\n if ! retry cosign download sbom \"${arch_imageanddigest}\" \u003e \"${sbom_file_path}\"; then\n echo \"Unable to download SBOM for the architecture ${arch}.\"\n exit 1\n fi\n\n if [ -e \"${sbom_file_path}\" ]; then\n local arch_sha\n arch_sha=$(\u003c\"$sha_file\")\n\n echo \"Running TPA scan on $arch image manifest...\"\n tpa_scan \"${sbom_file_path}\" \"$arch\" || true\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n else\n echo \"Couldn't find the SBOM file for the requested ${arch} architecture.\"\n exit 1\n fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run the tpa scan on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n # Validate against supported arch list. If it's not a known arch, fallback to amd64\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 1\n ;;\n esac\n\n run_tpa_on_arch \"$arch\"\n\n# If no platform is specified, run TPA scan on all available image manifests\nelse\n for sha_file in image-manifest-*.sha; do\n if [ -e \"$sha_file\" ]; then\n arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n run_tpa_on_arch \"$arch\"\n fi\n done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_OCI_ATTACH_REPORT", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-child-rexo:e00807ddfa5c59675de2a49103f4321dcd8a9795" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n echo 'OCI attach report skipped by parameter.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nif ! compgen -G \"tpa-report-*.json\" \u003e /dev/null; then\n echo 'No TPA reports generated. Skipping upload.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n report_file=\"$1\"\n arch=\"${report_file/*-}\"\n echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.tpa-report+json'\n\nreports_json=\"{}\"\nfor f in tpa-report-*.json; do\n digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n image_ref=\"${repository}@${digest}\"\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${image_ref}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n echo \"Attaching $f to ${image_ref}\"\n if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n \"/tmp/auth/config.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n then\n echo \"Failed to attach ${f} to ${image_ref}\"\n exit 1\n fi\n # shellcheck disable=SC2016\n reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/redhat-user-workloads/rhtap-integration-tenant/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "conftest-vulnerabilities", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\ntpa_result_files=$(ls /tekton/home/tpa-report-*.json 2\u003e/dev/null || true)\nif [ -z \"$tpa_result_files\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: No tpa-report files found in /tekton/home.\"\n exit 1\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $tpa_result_files; do\n file_suffix=$(basename \"$file\" | sed 's/tpa-report-//;s/.json//')\n if [ ! -s \"$file\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n else\n /usr/bin/conftest test --no-fail $file \\\n --policy /project/rhtpa/vulnerabilities-check.rego --namespace required_checks \\\n --output=json | tee /tekton/home/tpa-vulnerabilities-\"${file_suffix}\".json || true\n fi\n\n #check for missing \"tpa-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n if [ ! -f \"/tekton/home/tpa-vulnerabilities-$file_suffix.json\" ]; then\n missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/tpa-vulnerabilities-$file_suffix.json\"\n fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n note=\"Task tpa-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/tpa-vulnerabilities-*.json; do\n result=$(jq -rce \\\n '{\n vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n },\n unpatched_vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n }\n }' \"$file\")\n\n scan_result=$(jq -s -rce \\\n '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/tree/a4ffc1f03a6b1d97283b12282412840055fc92a8", "build.appstudio.redhat.com/commit_sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "build.appstudio.redhat.com/pull_request_number": "1", "build.appstudio.redhat.com/target_branch": "multi-component-parent-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "Merge Request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vbxbvj", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-parent-rexo-on-pull-request-phvwk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-parent-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/commit/a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/source-branch": "konflux-gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090806", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090806", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72/records/1166b99f-9db2-40f5-b120-ef4d0c51d534", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-parent-twjokv\",\"commit\":\"a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"eventType\":\"Merge Request\",\"pull_request-id\":1}", "results.tekton.dev/result": "build-e2e-fnyl/results/ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "virus, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-131fd24f9dcfacc403d70387aa8147ad-7ad1c206189a6188-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-gl-multi-component-parent-rexo" }, "creationTimestamp": "2026-05-11T11:33:01Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-parent-rexo", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/event-type": "Merge_Request", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "tekton.dev/pipelineRun": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "tekton.dev/pipelineRunUID": "ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72", "tekton.dev/pipelineTask": "clamav-scan", "tekton.dev/task": "clamav-scan-min", "test.appstudio.openshift.io/pr-group-sha": "2778624c4a783d65d3c448c05b3262242550994fa145dbeb5c211458cf2137" }, "name": "gl-multi-component-faac7f96143ff37f9d4607fcb669791b-clamav-scan", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "uid": "ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72" } ], "resourceVersion": "71216", "uid": "1166b99f-9db2-40f5-b120-ef4d0c51d534" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskRef": { "params": [ { "name": "name", "value": "clamav-scan-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min:0.3@sha256:589e34f73d310aa993c9761d8b78265a904a121028bda2809d8a2d0500454bd8" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:34:20Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:34:20Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-faac7f96f9841296b7e0bedd4d2cd174248d846b-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "589e34f73d310aa993c9761d8b78265a904a121028bda2809d8a2d0500454bd8" }, "entryPoint": "clamav-scan-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8\", \"digests\": [\"sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"timestamp\":\"1778499257\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n" } ], "spanContext": { "traceparent": "00-131fd24f9dcfacc403d70387aa8147ad-7ad1c206189a6188-01" }, "startTime": "2026-05-11T11:33:01Z", "steps": [ { "container": "step-extract-and-scan-image", "imageID": "quay.io/konflux-ci/clamav-db@sha256:83085885f6c81f58dc642c8be1e2a8a3c46410ff0b084005a13b20078485405d", "name": "extract-and-scan-image", "provenance": {}, "terminated": { "containerID": "cri-o://1fe7423a7d8f771cd01e1a84d512d53eae11bd9e324f12d36b0e8691ba07af81", "exitCode": 0, "finishedAt": "2026-05-11T11:34:17Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8\\\", \\\"digests\\\": [\\\"sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1778499257\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:33:14Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "upload", "provenance": {}, "terminated": { "containerID": "cri-o://75171838fac655662cc03880e41fc8d9493bb4a4f8d632b356b8e029f8b8e242", "exitCode": 0, "finishedAt": "2026-05-11T11:34:19Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8\\\", \\\"digests\\\": [\\\"sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1778499257\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:34:17Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "Image arch.", "name": "image-arch", "type": "string" }, { "default": "", "description": "unused", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "8", "description": "Maximum number of threads clamd runs.", "name": "clamd-max-threads", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-upload", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "512m", "memory": "3Gi" }, "requests": { "cpu": "512m", "memory": "3Gi" } }, "env": [ { "name": "HOME", "value": "/work" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8" }, { "name": "IMAGE_DIGEST", "value": "sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c" }, { "name": "IMAGE_ARCH" }, { "name": "MAX_THREADS", "value": "8" } ], "image": "quay.io/konflux-ci/clamav-db:latest", "name": "extract-and-scan-image", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n mkdir -p ~/.docker\n echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n# $1: destination - path to the content to scan\n# $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n# $3: digest - digest to add to digests_processed array\n# $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n local destination=\"$1\"\n local suffix=\"$2\"\n local digest=\"$3\"\n local scan_message=\"${4:-Scanning content}\"\n\n db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n echo \"$scan_message. This operation may take a while.\"\n clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n digests_processed+=(\"\\\"$digest\\\"\")\n\n if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n # OPA/EC requires structured data input, add clamAV log into json\n jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o json \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o appstudio \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n\n if [ -n \"$raw_manifest\" ]; then\n media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n # Determine if this is an OCI artifact (not a container image)\n # OCI artifacts typically have:\n # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n # - An explicit artifactType field that is not a container image type\n is_oci_artifact=false\n\n # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n is_oci_artifact=true\n fi\n\n # Check if artifactType is set and is not a container image type\n if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n is_oci_artifact=true\n fi\n\n if [ \"$is_oci_artifact\" = true ]; then\n # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n # This looks like a container image manifest, but get_image_manifests failed\n echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n note=\"Task clamav-scan-min failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n else\n # Likely an OCI artifact with non-standard media type\n echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n fi\n else\n echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n note=\"Task clamav-scan-min failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n echo \"Detected container image. Processing image manifests.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n # Proceed only if a specific arch is provided.\n # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n if [ -n \"$IMAGE_ARCH\" ]; then\n arch=\"${IMAGE_ARCH#*/}\"\n if [ \"${arch}\" = \"x86_64\" ]; then\n arch=\"amd64\"\n fi\n\n # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n arch=\"amd64\"\n ;;\n esac\n\n image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n fi\n\n while read -r arch arch_sha; do\n destination=$(echo content-$arch)\n mkdir -p \"$destination\"\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n if [ $? -ne 0 ]; then\n echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n exit 0\n fi\n\n # Scan and process container image for this architecture\n scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n {\n \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n \"namespace\" : $item.namespace,\n \"successes\" : (.successes + $item.successes),\n \"failures\" : (.failures + $item.failures),\n \"warnings\" : (.warnings + $item.warnings),\n \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_UPLOAD", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8" }, { "name": "IMAGE_DIGEST", "value": "sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n echo \"Upload skipped by parameter.\"\n exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n MEDIA_TYPE=text/vnd.clamav\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n MEDIA_TYPE=application/vnd.konflux.test_output+json\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n echo \"No files found. Skipping upload.\"\n exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n", "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" } ], "volumes": [ { "emptyDir": {}, "name": "dbfolder" }, { "emptyDir": {}, "name": "work" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/tree/a4ffc1f03a6b1d97283b12282412840055fc92a8", "build.appstudio.redhat.com/commit_sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "build.appstudio.redhat.com/pull_request_number": "1", "build.appstudio.redhat.com/target_branch": "multi-component-parent-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "Merge Request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vbxbvj", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-parent-rexo-on-pull-request-phvwk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-parent-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/commit/a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/source-branch": "konflux-gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090806", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090806", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72/records/a8d3e806-0ec9-46b6-a93f-643f6aec2e08", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-parent-twjokv\",\"commit\":\"a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"eventType\":\"Merge Request\",\"pull_request-id\":1}", "results.tekton.dev/result": "build-e2e-fnyl/results/ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-131fd24f9dcfacc403d70387aa8147ad-71c6d008e25ff83f-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-gl-multi-component-parent-rexo" }, "creationTimestamp": "2026-05-11T11:28:22Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-parent-rexo", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/event-type": "Merge_Request", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "tekton.dev/pipelineRun": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "tekton.dev/pipelineRunUID": "ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72", "tekton.dev/pipelineTask": "init", "tekton.dev/task": "init", "test.appstudio.openshift.io/pr-group-sha": "2778624c4a783d65d3c448c05b3262242550994fa145dbeb5c211458cf2137" }, "name": "gl-multi-component-parent-rexo-on-pull-request-phvwk-init", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "uid": "ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72" } ], "resourceVersion": "60691", "uid": "a8d3e806-0ec9-46b6-a93f-643f6aec2e08" }, "spec": { "params": [ { "name": "enable-cache-proxy", "value": "false" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskRef": { "params": [ { "name": "name", "value": "init" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:28:27Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:28:27Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-parent-rexo-on-pull-request-phvwk-init-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08" }, "entryPoint": "init", "uri": "quay.io/konflux-ci/tekton-catalog/task-init" } }, "results": [ { "name": "http-proxy", "type": "string", "value": "" }, { "name": "no-proxy", "type": "string", "value": "" } ], "spanContext": { "traceparent": "00-131fd24f9dcfacc403d70387aa8147ad-71c6d008e25ff83f-01" }, "startTime": "2026-05-11T11:28:22Z", "steps": [ { "container": "step-init", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "init", "provenance": {}, "terminated": { "containerID": "cri-o://64798c9012882152113e4ae6328df2bf8233c4862a6b9553eca9cc7566edbbca", "exitCode": 0, "finishedAt": "2026-05-11T11:28:26Z", "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:26Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.", "params": [ { "default": "false", "description": "Enable cache proxy configuration", "name": "enable-cache-proxy", "type": "string" } ], "results": [ { "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)", "name": "http-proxy", "type": "string" }, { "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)", "name": "no-proxy", "type": "string" } ], "steps": [ { "args": [ "--enable", "false" ], "command": [ "konflux-build-cli", "config", "cache-proxy" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" }, { "name": "DEFAULT_HTTP_PROXY", "value": "squid.caching.svc.cluster.local:3128" }, { "name": "DEFAULT_NO_PROXY", "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai" }, { "name": "HTTP_PROXY_RESULTS_PATH", "value": "/tekton/results/http-proxy" }, { "name": "NO_PROXY_RESULTS_PATH", "value": "/tekton/results/no-proxy" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "init" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/tree/a4ffc1f03a6b1d97283b12282412840055fc92a8", "build.appstudio.redhat.com/commit_sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "build.appstudio.redhat.com/pull_request_number": "1", "build.appstudio.redhat.com/target_branch": "multi-component-parent-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "Merge Request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vbxbvj", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-parent-rexo-on-pull-request-phvwk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-parent-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/commit/a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/source-branch": "konflux-gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090806", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090806", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72/records/4689f19f-0dc2-4404-a6d0-e34038c58dc6", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-parent-twjokv\",\"commit\":\"a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"eventType\":\"Merge Request\",\"pull_request-id\":1}", "results.tekton.dev/result": "build-e2e-fnyl/results/ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-131fd24f9dcfacc403d70387aa8147ad-db1fcba75ece7b6a-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-gl-multi-component-parent-rexo" }, "creationTimestamp": "2026-05-11T11:33:01Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-parent-rexo", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/event-type": "Merge_Request", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "tekton.dev/pipelineRun": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "tekton.dev/pipelineRunUID": "ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72", "tekton.dev/pipelineTask": "tpa-scan", "tekton.dev/task": "tpa-scan", "test.appstudio.openshift.io/pr-group-sha": "2778624c4a783d65d3c448c05b3262242550994fa145dbeb5c211458cf2137" }, "name": "gl-multi-component-parent-rexo-on-pull-request-phvwk-tpa-scan", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "uid": "ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72" } ], "resourceVersion": "70391", "uid": "4689f19f-0dc2-4404-a6d0-e34038c58dc6" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskRef": { "params": [ { "name": "name", "value": "tpa-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan:0.1@sha256:68b6e188f742da92af9c40a794fd021a65d49b419d1e36096277b2d9ebbe1afc" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:33:54Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:33:54Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-parent-r0ad6978d979e2a301dc3a5f2ef7e1ada-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "68b6e188f742da92af9c40a794fd021a65d49b419d1e36096277b2d9ebbe1afc" }, "entryPoint": "tpa-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8\", \"digests\": [\"sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\"]}}\n" }, { "name": "REPORTS", "type": "string", "value": "{\"sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\":\"sha256:b8b8931c8688cf8ebf74cf92f69dfc2d19a0b4735ee2603bd91d46eb3e8c97c6\"}\n" }, { "name": "SCAN_OUTPUT", "type": "string", "value": "{\"vulnerabilities\":{\"critical\":4,\"high\":28,\"medium\":53,\"low\":9,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:33:53+00:00\",\"note\":\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-131fd24f9dcfacc403d70387aa8147ad-db1fcba75ece7b6a-01" }, "startTime": "2026-05-11T11:33:01Z", "steps": [ { "container": "step-get-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "get-vulnerabilities", "provenance": {}, "terminated": { "containerID": "cri-o://10eff1ae24d28b4d943e7faeb4177f72586214c2baacfddab4f06fdc20d98222", "exitCode": 0, "finishedAt": "2026-05-11T11:33:48Z", "reason": "Completed", "startedAt": "2026-05-11T11:33:46Z" }, "terminationReason": "Completed" }, { "container": "step-oci-attach-report", "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "provenance": {}, "terminated": { "containerID": "cri-o://63c1b74b283e448204eb8c0aea92f6adb179bf6b5048ef99e303a9e0d94cc9ea", "exitCode": 0, "finishedAt": "2026-05-11T11:33:51Z", "reason": "Completed", "startedAt": "2026-05-11T11:33:49Z" }, "terminationReason": "Completed" }, { "container": "step-conftest-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "conftest-vulnerabilities", "provenance": {}, "terminated": { "containerID": "cri-o://899c71958cf40c0fccba913284a5a40091868fb46bd78d6852cd2301e27dc5ec", "exitCode": 0, "finishedAt": "2026-05-11T11:33:53Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8\\\", \\\"digests\\\": [\\\"sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\\\":\\\"sha256:b8b8931c8688cf8ebf74cf92f69dfc2d19a0b4735ee2603bd91d46eb3e8c97c6\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":4,\\\"high\\\":28,\\\"medium\\\":53,\\\"low\\\":9,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:33:53+00:00\\\",\\\"note\\\":\\\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:33:52Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans container images for vulnerabilities using the TPA vulnerability scanner, by comparing the components of container image against the vulnerability databases.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "The platform which will be scanned by this task.", "name": "image-platform", "type": "string" }, { "default": "https://exhort.stage.devshift.net/api/v5/analysis", "description": "The url of the TPA instance which will be used for scanning.", "name": "tpa-url", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-oci-attach-report", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "TPA scan result.", "name": "SCAN_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" }, { "description": "Mapping of image digests to report digests", "name": "REPORTS", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "computeResources": { "limits": { "cpu": "800m", "memory": "2Gi" }, "requests": { "cpu": "800m", "memory": "2Gi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8" }, { "name": "IMAGE_DIGEST", "value": "sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c" }, { "name": "IMAGE_PLATFORM" }, { "name": "TPA_URL", "value": "https://exhort.stage.devshift.net/api/v5/analysis" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "imagePullPolicy": "Always", "name": "get-vulnerabilities", "script": "#!/usr/bin/env bash\n\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\necho \"Inspecting raw image manifest $imageanddigest.\"\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\necho \"Selecting auth\"\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${imageanddigest}\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n done\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task tpa-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n\ntpa_scan() {\n local sbom_file=${1}\n local arch=${2}\n local sbom_format\n\n sbom_format=$(jq -r 'if .bomFormat == \"CycloneDX\" then \"cyclonedx\" else \"spdx\" end' \u003c \"${sbom_file}\")\n retry curl -f --show-error -L -X POST -T \"${sbom_file}\" -H \"Content-Type:application/vnd.${sbom_format}+json\" \"${TPA_URL}\" | tee \"tpa-report-${arch}.json\";\n}\n\nrun_tpa_on_arch() {\n local arch=\"$1\"\n local sha_file=\"image-manifest-${arch}.sha\"\n local sbom_file_path=\"/tmp/sbom-${arch}.json\"\n local arch_sha=\"\"\n\n if [ -e \"${sha_file}\" ]; then\n arch_sha=$(\u003c\"${sha_file}\")\n arch_imageanddigest=$(echo -n \"${imagewithouttag}@${arch_sha}\")\n else\n echo \"Couldn't find the SHA file for the requested architecture.\"\n exit 1\n fi\n\n echo \"Selecting auth\"\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${arch_imageanddigest}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n # Attempt to download the SBOM file via cosign\n\n if ! retry cosign download sbom \"${arch_imageanddigest}\" \u003e \"${sbom_file_path}\"; then\n echo \"Unable to download SBOM for the architecture ${arch}.\"\n exit 1\n fi\n\n if [ -e \"${sbom_file_path}\" ]; then\n local arch_sha\n arch_sha=$(\u003c\"$sha_file\")\n\n echo \"Running TPA scan on $arch image manifest...\"\n tpa_scan \"${sbom_file_path}\" \"$arch\" || true\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n else\n echo \"Couldn't find the SBOM file for the requested ${arch} architecture.\"\n exit 1\n fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run the tpa scan on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n # Validate against supported arch list. If it's not a known arch, fallback to amd64\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 1\n ;;\n esac\n\n run_tpa_on_arch \"$arch\"\n\n# If no platform is specified, run TPA scan on all available image manifests\nelse\n for sha_file in image-manifest-*.sha; do\n if [ -e \"$sha_file\" ]; then\n arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n run_tpa_on_arch \"$arch\"\n fi\n done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_OCI_ATTACH_REPORT", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n echo 'OCI attach report skipped by parameter.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nif ! compgen -G \"tpa-report-*.json\" \u003e /dev/null; then\n echo 'No TPA reports generated. Skipping upload.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n report_file=\"$1\"\n arch=\"${report_file/*-}\"\n echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.tpa-report+json'\n\nreports_json=\"{}\"\nfor f in tpa-report-*.json; do\n digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n image_ref=\"${repository}@${digest}\"\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${image_ref}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n echo \"Attaching $f to ${image_ref}\"\n if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n \"/tmp/auth/config.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n then\n echo \"Failed to attach ${f} to ${image_ref}\"\n exit 1\n fi\n # shellcheck disable=SC2016\n reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/redhat-user-workloads/rhtap-integration-tenant/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "conftest-vulnerabilities", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\ntpa_result_files=$(ls /tekton/home/tpa-report-*.json 2\u003e/dev/null || true)\nif [ -z \"$tpa_result_files\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: No tpa-report files found in /tekton/home.\"\n exit 1\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $tpa_result_files; do\n file_suffix=$(basename \"$file\" | sed 's/tpa-report-//;s/.json//')\n if [ ! -s \"$file\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n else\n /usr/bin/conftest test --no-fail $file \\\n --policy /project/rhtpa/vulnerabilities-check.rego --namespace required_checks \\\n --output=json | tee /tekton/home/tpa-vulnerabilities-\"${file_suffix}\".json || true\n fi\n\n #check for missing \"tpa-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n if [ ! -f \"/tekton/home/tpa-vulnerabilities-$file_suffix.json\" ]; then\n missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/tpa-vulnerabilities-$file_suffix.json\"\n fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n note=\"Task tpa-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/tpa-vulnerabilities-*.json; do\n result=$(jq -rce \\\n '{\n vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n },\n unpatched_vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n }\n }' \"$file\")\n\n scan_result=$(jq -s -rce \\\n '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/tree/db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/commit_sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/target_branch": "multi-component-parent-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bylibv", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-parent-rexo-on-push-jsrmh", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-parent-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-parent-rexo' into 'multi-component-parent-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/commit/db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090806", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090806", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/ec410ceb-11bf-405b-a10b-0e280130c3a8/records/e73295ff-6052-4d27-bf21-8f461141d5b1", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-parent-twjokv\",\"commit\":\"db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/ec410ceb-11bf-405b-a10b-0e280130c3a8", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-52bddfe8e2a8557a597db9d1f8b085c3-4053b8f40fb2f541-01\"}" }, "creationTimestamp": "2026-05-11T11:37:40Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-parent-rexo", "build.appstudio.redhat.com/build_type": "docker", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-parent-rexo-on-push-jsrmh", "tekton.dev/pipelineRun": "gl-multi-component-parent-rexo-on-push-jsrmh", "tekton.dev/pipelineRunUID": "ec410ceb-11bf-405b-a10b-0e280130c3a8", "tekton.dev/pipelineTask": "build-container", "tekton.dev/task": "buildah-oci-ta-min" }, "name": "gl-multi-component-parent-rexo-on-push-jsrmh-build-container", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-parent-rexo-on-push-jsrmh", "uid": "ec410ceb-11bf-405b-a10b-0e280130c3a8" } ], "resourceVersion": "82635", "uid": "e73295ff-6052-4d27-bf21-8f461141d5b1" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85" }, { "name": "DOCKERFILE", "value": "Dockerfile" }, { "name": "CONTEXT", "value": "." }, { "name": "HERMETIC", "value": "false" }, { "name": "PREFETCH_INPUT", "value": "" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "" }, { "name": "COMMIT_SHA", "value": "db262f1446e088880fcfd4b2e13afdcaae70ad85" }, { "name": "BUILD_ARGS", "value": [] }, { "name": "BUILD_ARGS_FILE", "value": "" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SOURCE_URL", "value": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "HTTP_PROXY", "value": "" }, { "name": "NO_PROXY", "value": "" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:135c7777e0b3399e176a36d0352959b2abdf621af3993e71d633f75b541d368b" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskRef": { "params": [ { "name": "name", "value": "buildah-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min:0.9@sha256:97c0d0ac1d508a70f8610c7dc79de453a990414fba7d7e0f8d21ec22f5796d96" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:39:48Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:39:48Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-parent-rfaf3fa5a7c55cfdb0211ad938be55189-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "97c0d0ac1d508a70f8610c7dc79de453a990414fba7d7e0f8d21ec22f5796d96" }, "entryPoint": "buildah-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min" } }, "results": [ { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85@sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85" }, { "name": "SBOM_BLOB_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:953a96a3cc79eed7f6086009ee68e4781716a26dbc7c62569d827adf82e331da" } ], "spanContext": { "traceparent": "00-52bddfe8e2a8557a597db9d1f8b085c3-4053b8f40fb2f541-01" }, "startTime": "2026-05-11T11:37:42Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://6b7a310713f9b3055525eb0e9b2a61d28be5c77c544d9b90e5de450295f3cf8b", "exitCode": 0, "finishedAt": "2026-05-11T11:37:47Z", "reason": "Completed", "startedAt": "2026-05-11T11:37:46Z" }, "terminationReason": "Completed" }, { "container": "step-build", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "build", "provenance": {}, "terminated": { "containerID": "cri-o://e26b01d1a7ca86f90ade20a0347f3f3b4bed1074091baae368a81d239eec48fe", "exitCode": 0, "finishedAt": "2026-05-11T11:38:03Z", "reason": "Completed", "startedAt": "2026-05-11T11:37:48Z" }, "terminationReason": "Completed" }, { "container": "step-push", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "push", "provenance": {}, "terminated": { "containerID": "cri-o://34e0dcd8f26e397a7c07d40d944d77205ed1afbd67566b219eaab35293b3b6dc", "exitCode": 0, "finishedAt": "2026-05-11T11:38:48Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85@sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:04Z" }, "terminationReason": "Completed" }, { "container": "step-sbom-syft-generate", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "sbom-syft-generate", "provenance": {}, "terminated": { "containerID": "cri-o://4723fdc477b8adc10c7ebf130a731a2b1c27137ae0ac1f1cb5ca89d0f124f811", "exitCode": 0, "finishedAt": "2026-05-11T11:39:05Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85@sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:49Z" }, "terminationReason": "Completed" }, { "container": "step-prepare-sboms", "imageID": "quay.io/konflux-ci/mobster@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "provenance": {}, "terminated": { "containerID": "cri-o://a6a2aeb925a3a001174df57c1bf1ff87853a8f676a7d3d002164817baee3cab8", "exitCode": 0, "finishedAt": "2026-05-11T11:39:22Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85@sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:39:06Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://10c265dde54dbec646705a3fa2e1ad28de1cb3edad3ab76271330a853e5d635b", "exitCode": 0, "finishedAt": "2026-05-11T11:39:47Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85@sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:953a96a3cc79eed7f6086009ee68e4781716a26dbc7c62569d827adf82e331da\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:39:22Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "default": [], "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings", "name": "ADDITIONAL_BASE_IMAGES", "type": "array" }, { "default": "does-not-exist", "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET", "name": "ADDITIONAL_SECRET", "type": "string" }, { "default": "", "description": "Comma separated list of extra capabilities to add when running 'buildah build'", "name": "ADD_CAPABILITIES", "type": "string" }, { "default": [], "description": "Additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS", "type": "array" }, { "default": "", "description": "Path to a file with additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS_FILE", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": [], "description": "Array of --build-arg values (\"arg=value\" strings)", "name": "BUILD_ARGS", "type": "array" }, { "default": "", "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file", "name": "BUILD_ARGS_FILE", "type": "string" }, { "default": "", "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.", "name": "BUILD_TIMESTAMP", "type": "string" }, { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "", "description": "The image is built from this commit.", "name": "COMMIT_SHA", "type": "string" }, { "default": ".", "description": "Path to the directory to use as context.", "name": "CONTEXT", "type": "string" }, { "default": "true", "description": "Determines if SBOM will be contextualized.", "name": "CONTEXTUALIZE_SBOM", "type": "string" }, { "default": "./Dockerfile", "description": "Path to the Dockerfile to build.", "name": "DOCKERFILE", "type": "string" }, { "default": "etc-pki-entitlement", "description": "Name of secret which contains the entitlement certificates", "name": "ENTITLEMENT_SECRET", "type": "string" }, { "default": [], "description": "Array of --env values (\"env=value\" strings)", "name": "ENV_VARS", "type": "array" }, { "default": "false", "description": "Determines if build will be executed without network access.", "name": "HERMETIC", "type": "string" }, { "default": "", "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.", "name": "HTTP_PROXY", "type": "string" }, { "default": "true", "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection", "name": "ICM_KEEP_COMPAT_LOCATION", "type": "string" }, { "description": "Reference of the image buildah will produce.", "name": "IMAGE", "type": "string" }, { "default": "", "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.", "name": "IMAGE_EXPIRES_AFTER", "type": "string" }, { "default": "true", "description": "Determines if the image inherits the base image labels.", "name": "INHERIT_BASE_IMAGE_LABELS", "type": "string" }, { "default": [], "description": "Additional key=value labels that should be applied to the image", "name": "LABELS", "type": "array" }, { "default": "", "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.", "name": "NO_PROXY", "type": "string" }, { "default": "false", "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.", "name": "OMIT_HISTORY", "type": "string" }, { "default": "", "description": "In case it is not empty, the prefetched content should be made available to the build.", "name": "PREFETCH_INPUT", "type": "string" }, { "default": "false", "description": "Whether to enable privileged mode, should be used only with remote VMs", "name": "PRIVILEGED_NESTED", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.", "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "caching-ca-bundle", "description": "The name of the ConfigMap to read proxy CA bundle data from.", "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "false", "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.", "name": "REWRITE_TIMESTAMP", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.", "name": "SBOM_SOURCE_SCAN_ENABLED", "type": "string" }, { "default": "", "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection", "name": "SBOM_SYFT_SELECT_CATALOGERS", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.", "name": "SBOM_TYPE", "type": "string" }, { "default": "false", "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.", "name": "SKIP_INJECTIONS", "type": "string" }, { "default": "false", "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled", "name": "SKIP_SBOM_GENERATION", "type": "string" }, { "default": "true", "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages", "name": "SKIP_UNUSED_STAGES", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "", "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.", "name": "SOURCE_DATE_EPOCH", "type": "string" }, { "default": "", "description": "The image is built from this URL.", "name": "SOURCE_URL", "type": "string" }, { "default": "false", "description": "Squash all new and previous layers added as a part of this build, as per --squash", "name": "SQUASH", "type": "string" }, { "default": "overlay", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "", "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.", "name": "TARGET_STAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "default": "", "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).", "name": "WORKINGDIR_MOUNT", "type": "string" }, { "default": "fetched.repos.d", "description": "Path in source workspace where dynamically-fetched repos are present", "name": "YUM_REPOS_D_FETCHED", "type": "string" }, { "default": "repos.d", "description": "Path in the git repository in which yum repository files are stored", "name": "YUM_REPOS_D_SRC", "type": "string" }, { "default": "/etc/yum.repos.d", "description": "Target path on the container in which yum repository files should be made available", "name": "YUM_REPOS_D_TARGET", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image reference of the built image", "name": "IMAGE_REF", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "ACTIVATION_KEY", "value": "activation-key" }, { "name": "ADDITIONAL_SECRET", "value": "does-not-exist" }, { "name": "ADD_CAPABILITIES" }, { "name": "ANNOTATIONS_FILE" }, { "name": "BUILD_ARGS_FILE" }, { "name": "BUILD_TIMESTAMP" }, { "name": "CONTEXT", "value": "." }, { "name": "CONTEXTUALIZE_SBOM", "value": "true" }, { "name": "ENTITLEMENT_SECRET", "value": "etc-pki-entitlement" }, { "name": "HERMETIC", "value": "false" }, { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85" }, { "name": "IMAGE_EXPIRES_AFTER" }, { "name": "INHERIT_BASE_IMAGE_LABELS", "value": "true" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SBOM_SKIP_VALIDATION", "value": "true" }, { "name": "SBOM_SOURCE_SCAN_ENABLED", "value": "true" }, { "name": "SBOM_SYFT_SELECT_CATALOGERS" }, { "name": "SBOM_TYPE", "value": "spdx" }, { "name": "SKIP_INJECTIONS", "value": "false" }, { "name": "SKIP_SBOM_GENERATION", "value": "false" }, { "name": "SKIP_UNUSED_STAGES", "value": "true" }, { "name": "SOURCE_CODE_DIR", "value": "source" }, { "name": "SQUASH", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "overlay" }, { "name": "TARGET_STAGE" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "WORKINGDIR_MOUNT" }, { "name": "YUM_REPOS_D_FETCHED", "value": "fetched.repos.d" }, { "name": "YUM_REPOS_D_SRC", "value": "repos.d" }, { "name": "YUM_REPOS_D_TARGET", "value": "/etc/yum.repos.d" } ], "imagePullPolicy": "IfNotPresent", "volumeMounts": [ { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:135c7777e0b3399e176a36d0352959b2abdf621af3993e71d633f75b541d368b=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "args": [ "--build-args", "--env", "--labels", "--annotations" ], "computeResources": { "limits": { "cpu": "500m", "memory": "1Gi" }, "requests": { "cpu": "500m", "memory": "1Gi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "COMMIT_SHA", "value": "db262f1446e088880fcfd4b2e13afdcaae70ad85" }, { "name": "SOURCE_URL", "value": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv" }, { "name": "DOCKERFILE", "value": "Dockerfile" }, { "name": "BUILDAH_HTTP_PROXY" }, { "name": "BUILDAH_NO_PROXY" }, { "name": "ICM_KEEP_COMPAT_LOCATION", "value": "true" }, { "name": "BUILDAH_OMIT_HISTORY", "value": "false" }, { "name": "BUILDAH_SOURCE_DATE_EPOCH" }, { "name": "BUILDAH_REWRITE_TIMESTAMP", "value": "false" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "build", "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n fi\n fi\n}\n\nfunction unset_proxy {\n echo \"[$(date --utc -Ins)] Unsetting proxy\"\n unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n\"$source_dir_path\" | \"$source_dir_path/\"*)\n # path is valid, do nothing\n ;;\n*)\n echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n echo \"Source path: $source_dir_path\" \u003e\u00262\n echo \"Resolved path: $context_dir_path\" \u003e\u00262\n exit 1\n ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n # Instrumented builds (SAST) use this custom dockerfile step as their base\n dockerfile_path=\"$DOCKERFILE\"\nelse\n echo \"Cannot find Dockerfile $DOCKERFILE\"\n exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e/etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n while IFS= read -r line || [[ -n \"$line\" ]]; do\n # Skip empty lines and comments\n if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n ANNOTATIONS+=(\"--annotation\" \"$line\")\n fi\n done \u003c\"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --build-args)\n shift\n # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n build_args+=(\"$1\")\n shift\n done\n ;;\n --env)\n shift\n # Collect env entries of the form KEY=value\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n env_vars+=(\"$1\")\n shift\n done\n ;;\n --labels)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n LABELS+=(\"--label\" \"$1\")\n shift\n done\n ;;\n --annotations)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ANNOTATIONS+=(\"--annotation\" \"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e/shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--pull=never\")\n UNSHARE_ARGS+=(\"--net\")\n buildah_retries=3\n\n set_proxy\n\n for image in $BASE_IMAGES; do\n if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"; then\n echo \"Failed to pull base image ${image}\"\n exit 1\n fi\n done\n\n unset_proxy\n\n echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n BUILDAH_ARGS+=(\"--cap-add=all\")\n BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n fi\n if [ -n \"$BUILD_TIMESTAMP\" ]; then\n echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n exit 1\n fi\n # but do set it so that we get all the labels/annotations associated with it\n BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/var/workdir/cachi2/cachi2.env\" ]; then\n # Identify the current arch to filter the prefetched content\n PREFETCH_ARCH=\"$(uname -m)\"\n echo \"$PREFETCH_ARCH\" \u003e/shared/prefetch-arch\n\n echo \"Prefetched content will be made available\"\n\n cp -r \"/var/workdir/cachi2\" /tmp/\n chmod -R go+rwX /tmp/cachi2\n\n # In case RPMs were prefetched and this is a multi-arch build,\n # clean up the packages that do not match the architecture being built\n RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n echo \"Removing prefetched RPMs from non-matching architectures\"\n PREFETCH_ARCH=\"$(uname -m)\"\n for path in \"$RPM_PREFETCH_DIR\"/*; do\n if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n echo \"Removing: $path\"\n rm -rf \"$path\"\n else\n echo \"Keeping: $path\"\n fi\n done\n fi\n\n VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n sed -E -i \\\n -e 'H;1h;$!d;x' \\\n -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n @igM' \\\n \"$dockerfile_copy\"\n\n prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n mkdir -p \"$YUM_REPOS_D_FETCHED\"\n if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n fi\n fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n \"--label\" \"architecture=$(uname -m)\"\n \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n FINAL_BASE_IMAGE=$(\n # Get the base image of the final stage\n # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n # Run the find_root_stage() function on the final stage\n # If the final stage is scratch or oci-archive, return empty\n jq -r '.Stages as $all_stages |\n def find_root_stage($stage):\n if $stage.From.Stage then\n find_root_stage($all_stages[$stage.From.Stage.Index])\n else\n $stage\n end;\n\n find_root_stage(.Stages[-1]) |\n if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n empty\n else\n .BaseName\n end' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n )\n if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n set_proxy\n buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null$()\n unset_proxy\n buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n if [[ \"$label\" != \"--label\" ]]; then\n label_pairs+=(\"$label\")\n fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n echo \"\" \u003e\u003e\"$dockerfile_copy\"\n # Always write labels.json to the new standard location\n echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n # Conditionally write to the old location for backward compatibility\n if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n cp \"$containerignore\" \"$ignorefile_copy\"\n {\n echo \"\"\n echo \"!/labels.json\"\n echo \"!/content-sets.json\"\n } \u003e\u003e\"$ignorefile_copy\"\n BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n# to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n# shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n mkdir -p /shared/rhsm/etc/pki/entitlement\n mkdir -p /shared/rhsm/etc/pki/consumer\n\n VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key\n -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z\n -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n echo \"Adding activation key to the build\"\n\n if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n # user is not running registration in the Containerfile: pre-register.\n echo \"Pre-registering with subscription manager.\"\n export RETRY_MAX_TRIES=6\n if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"; then\n echo \"Subscription-manager register failed\"\n exit 1\n fi\n unset RETRY_MAX_TRIES\n trap 'subscription-manager unregister || true' EXIT\n\n # copy generated certificates to /shared volume\n cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e/dev/null; then\n cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n exit 1\n fi\n # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n # (we set the workdir using 'unshare -w')\n context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n # Instrumented builds (SAST) use this step as their base and add some other tools.\n while read -r volume_mount; do\n VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n done \u003c\u003c\u003c\"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n while read -r filename; do\n echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n buildah build\n \"${VOLUME_MOUNTS[@]}\"\n \"${BUILDAH_ARGS[@]}\"\n \"${LABELS[@]}\"\n \"${ANNOTATIONS[@]}\"\n --tls-verify=\"$TLSVERIFY\" --no-cache\n --ulimit nofile=4096:4096\n --http-proxy=false\n -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n echo \"Making copy of sbom-prefetch.json\"\n cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n # Get the image pullspec and filter out a tag if it is not set\n # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n # if buildah did not use that particular image during build because it was skipped\n if [ -n \"$base_image_digest\" ]; then\n echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci:$IMAGE\"\necho \"/shared/$image_name.oci\" \u003e/shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/entitlement", "name": "etc-pki-entitlement" }, { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/additional-secret", "name": "additional-secret" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/proxy-ca-bundle", "name": "proxy-ca-bundle", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "TASKRUN_NAME", "value": "gl-multi-component-parent-rexo-on-push-jsrmh-build-container" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "push", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n \"$IMAGE\" \\\n \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"; then\n echo \"Failed to push image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile \"/var/workdir/image-digest\" \"$IMAGE\" \\\n \"docker://$IMAGE\"; then\n echo \"Failed to push image to $IMAGE\"\n exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c\"/var/workdir\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n echo -n \"${IMAGE}@\"\n cat \"/var/workdir/image-digest\"\n} \u003e\"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"; then\n echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n [rekorInternalUrl]=REKOR_URL\n [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n [rekorInternalUrl]=rekorExternalUrl\n [fulcioInternalUrl]=fulcioExternalUrl\n [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n if [ -n \"${val}\" ]; then\n echo \"Using fallback ${fallback_key} instead of ${key}\"\n fi\n fi\n if [ -z \"${val}\" ]; then\n missing=\"${missing:+${missing}, }${key}\"\n else\n declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n configured=$((configured + 1))\n fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n echo \"Keyless signing is enabled\"\n\n # Save signing config for upload-sbom step\n for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n envvar=\"${SIGNING_KEY_MAP[$key]}\"\n printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n done \u003e/shared/signing-config.env\n\n echo \"Using Rekor URL: ${REKOR_URL}\"\n echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n echo \"[$(date --utc -Ins)] Sign image\"\n echo \"Signing image ${IMAGE_REF} using keyless signing\"\n if ! retry cosign sign -y \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign image\" \u003e\u00262\n exit 1\n fi\nelif [ \"${configured}\" -eq 0 ]; then\n echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "256m", "memory": "512Mi" }, "requests": { "cpu": "256m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "sbom-syft-generate", "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\ncase $SBOM_TYPE in\ncyclonedx)\n syft_sbom_type=cyclonedx-json@1.5\n ;;\nspdx)\n syft_sbom_type=spdx-json@2.3\n ;;\n*)\n echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n exit 1\n ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n oci-dir:\"${OCI_DIR}\"\n --output \"$syft_sbom_type=/var/workdir/sbom-image.json\"\n)\nsyft_source_args=(\n dir:\"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT\"\n --output \"$syft_sbom_type=/var/workdir/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n echo \"Running syft on the source code\"\n syft \"${syft_source_args[@]}\"\nelse\n echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" }, { "args": [ "--additional-base-images" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.2.0-1774868067@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --additional-base-images)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ADDITIONAL_BASE_IMAGES+=(\"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n generate\n --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-image\n --from-syft \"/var/workdir/sbom-image.json\"\n --image-pullspec \"$IMAGE_URL\"\n --image-digest \"$IMAGE_DIGEST\"\n --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/var/workdir/sbom-source.json\" ]; then\n mobster_args+=(--from-syft \"/var/workdir/sbom-source.json\")\nfi\n\nif [ -f \"/var/workdir/sbom-prefetch.json\" ]; then\n mobster_args+=(--from-hermeto \"/var/workdir/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n", "securityContext": { "runAsUser": 0 }, "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"; then\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n # shellcheck source=/dev/null\n source /shared/signing-config.env\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n # spdx export data as rawstring, we want structured json as cyclonedx\n ATT_SBOM_TYPE=\"spdxjson\"\n fi\n\n echo \"[$(date --utc -Ins)] Sign SBOM\"\n echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign SBOM\" \u003e\u00262\n exit 1\n fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "name": "additional-secret", "secret": { "optional": true, "secretName": "does-not-exist" } }, { "name": "etc-pki-entitlement", "secret": { "optional": true, "secretName": "etc-pki-entitlement" } }, { "name": "oidc-token", "projected": { "sources": [ { "serviceAccountToken": { "audience": "sigstore", "expirationSeconds": 600, "path": "oidc-token" } } ] } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "caching-ca-bundle", "optional": true }, "name": "proxy-ca-bundle" }, { "emptyDir": {}, "name": "shared" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "varlibcontainers" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/tree/db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/commit_sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/target_branch": "multi-component-parent-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bylibv", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-parent-rexo-on-push-jsrmh", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-parent-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-parent-rexo' into 'multi-component-parent-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/commit/db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090806", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090806", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/ec410ceb-11bf-405b-a10b-0e280130c3a8/records/66f3721b-e089-4fd8-9b7d-bbb970e253bf", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-parent-twjokv\",\"commit\":\"db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/ec410ceb-11bf-405b-a10b-0e280130c3a8", "results.tekton.dev/stored": "true", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-52bddfe8e2a8557a597db9d1f8b085c3-608d80ca9c5ca288-01\"}" }, "creationTimestamp": "2026-05-11T11:39:48Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-parent-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-parent-rexo-on-push-jsrmh", "tekton.dev/pipelineRun": "gl-multi-component-parent-rexo-on-push-jsrmh", "tekton.dev/pipelineRunUID": "ec410ceb-11bf-405b-a10b-0e280130c3a8", "tekton.dev/pipelineTask": "build-image-index" }, "name": "gl-multi-component-parent-rexo-on-push-jsrmh-build-image-index", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-parent-rexo-on-push-jsrmh", "uid": "ec410ceb-11bf-405b-a10b-0e280130c3a8" } ], "resourceVersion": "83321", "uid": "66f3721b-e089-4fd8-9b7d-bbb970e253bf" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "IMAGES", "value": [ "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85@sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea" ] }, { "name": "BUILDAH_FORMAT", "value": "docker" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskRef": { "params": [ { "name": "name", "value": "build-image-index-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index-min:0.3@sha256:fbb362f21e559606f8941cde6a2c0507c8af6cfc8bee88ffc38032e8e80b4b7e" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:39:57Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:39:57Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-parent-r7b19297541b4f558379328b547ebd8ab-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "fbb362f21e559606f8941cde6a2c0507c8af6cfc8bee88ffc38032e8e80b4b7e" }, "entryPoint": "build-image-index-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index-min" } }, "results": [ { "name": "IMAGES", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea" }, { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85" } ], "spanContext": { "traceparent": "00-52bddfe8e2a8557a597db9d1f8b085c3-608d80ca9c5ca288-01" }, "startTime": "2026-05-11T11:39:48Z", "steps": [ { "container": "step-build", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "build", "provenance": {}, "terminated": { "containerID": "cri-o://e4b52c89907ac518292927227a1c3d8285dcfa6d7f664b7d1891c8eb9871834d", "exitCode": 0, "finishedAt": "2026-05-11T11:39:55Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:39:53Z" }, "terminationReason": "Completed" }, { "container": "step-create-sbom", "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094", "name": "create-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://128ab9c3679522094692e074052bb0e8b86eb62a888128444cbfbd7e4719222d", "exitCode": 0, "finishedAt": "2026-05-11T11:39:55Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:39:55Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://7ccbb48ebe1cba9cad9f88524746a8781d6870ca008bc59d58f11069aa3498c4", "exitCode": 0, "finishedAt": "2026-05-11T11:39:57Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:39:55Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "This takes existing Image Manifests and combines them in an Image Index.", "params": [ { "description": "The target image and tag where the image will be pushed to.", "name": "IMAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "description": "List of Image Manifests to be referenced by the Image Index", "name": "IMAGES", "type": "array" }, { "default": "true", "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.", "name": "ALWAYS_BUILD_INDEX", "type": "string" }, { "default": "vfs", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": "false", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "List of all referenced image manifests", "name": "IMAGES", "type": "string" }, { "description": "Image reference of the built image containing both the repository and the digest", "name": "IMAGE_REF", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "vfs" } ], "volumeMounts": [ { "mountPath": "/index-build-data", "name": "shared-dir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85@sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/konflux-build-cli:latest@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "build", "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\n\necho \"Running konflux-build-cli\"\nif ! konflux-build-cli image build-image-index \\\n --image \"$IMAGE\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --buildah-format \"$BUILDAH_FORMAT\" \\\n --always-build-index=\"$ALWAYS_BUILD_INDEX\" \\\n --additional-tags \"gl-multi-component-parent-rexo-on-push-jsrmh-build-image-index\" \\\n --output-manifest-path \"$MANIFEST_DATA_FILE\" \\\n --result-path-image-digest \"/tekton/results/IMAGE_DIGEST\" \\\n --result-path-image-url \"/tekton/results/IMAGE_URL\" \\\n --result-path-image-ref \"/tekton/results/IMAGE_REF\" \\\n --result-path-images \"/tekton/results/IMAGES\" \\\n --images \"$@\"; then\n echo \"Failed to build image index\"\n exit 1\nfi\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 } }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094", "name": "create-sbom", "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-index\n --index-image-pullspec \"$IMAGE_URL\"\n --index-image-digest \"$IMAGE_DIGEST\"\n --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 } } ], "volumes": [ { "emptyDir": {}, "name": "shared-dir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/tree/db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/commit_sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/target_branch": "multi-component-parent-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bylibv", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-parent-rexo-on-push-jsrmh", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-parent-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-parent-rexo' into 'multi-component-parent-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/commit/db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090806", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090806", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/ec410ceb-11bf-405b-a10b-0e280130c3a8/records/1934f1fe-bef4-4af1-88cd-4e5c61231b87", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-parent-twjokv\",\"commit\":\"db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/ec410ceb-11bf-405b-a10b-0e280130c3a8", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "virus, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-52bddfe8e2a8557a597db9d1f8b085c3-89c540d3f8444fe7-01\"}" }, "creationTimestamp": "2026-05-11T11:39:58Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-parent-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-parent-rexo-on-push-jsrmh", "tekton.dev/pipelineRun": "gl-multi-component-parent-rexo-on-push-jsrmh", "tekton.dev/pipelineRunUID": "ec410ceb-11bf-405b-a10b-0e280130c3a8", "tekton.dev/pipelineTask": "clamav-scan", "tekton.dev/task": "clamav-scan-min" }, "name": "gl-multi-component-parent-rexo-on-push-jsrmh-clamav-scan", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-parent-rexo-on-push-jsrmh", "uid": "ec410ceb-11bf-405b-a10b-0e280130c3a8" } ], "resourceVersion": "84908", "uid": "1934f1fe-bef4-4af1-88cd-4e5c61231b87" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskRef": { "params": [ { "name": "name", "value": "clamav-scan-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min:0.3@sha256:589e34f73d310aa993c9761d8b78265a904a121028bda2809d8a2d0500454bd8" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:40:59Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:40:59Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-parent-rexo-on-push-jsrmh-clamav-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "589e34f73d310aa993c9761d8b78265a904a121028bda2809d8a2d0500454bd8" }, "entryPoint": "clamav-scan-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85\", \"digests\": [\"sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"timestamp\":\"1778499656\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n" } ], "spanContext": { "traceparent": "00-52bddfe8e2a8557a597db9d1f8b085c3-89c540d3f8444fe7-01" }, "startTime": "2026-05-11T11:39:58Z", "steps": [ { "container": "step-extract-and-scan-image", "imageID": "quay.io/konflux-ci/clamav-db@sha256:83085885f6c81f58dc642c8be1e2a8a3c46410ff0b084005a13b20078485405d", "name": "extract-and-scan-image", "provenance": {}, "terminated": { "containerID": "cri-o://c791ef17867106b357c0bbc53f350943be52836f073f00a7b91c508e6c8c6504", "exitCode": 0, "finishedAt": "2026-05-11T11:40:56Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85\\\", \\\"digests\\\": [\\\"sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1778499656\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:40:03Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "upload", "provenance": {}, "terminated": { "containerID": "cri-o://ee5ef40bbbd4b17d2c3f131dd76978612562c5e7abae71bbb9fcd33d731446b2", "exitCode": 0, "finishedAt": "2026-05-11T11:40:58Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85\\\", \\\"digests\\\": [\\\"sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1778499656\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:40:56Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "Image arch.", "name": "image-arch", "type": "string" }, { "default": "", "description": "unused", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "8", "description": "Maximum number of threads clamd runs.", "name": "clamd-max-threads", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-upload", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "512m", "memory": "3Gi" }, "requests": { "cpu": "512m", "memory": "3Gi" } }, "env": [ { "name": "HOME", "value": "/work" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85" }, { "name": "IMAGE_DIGEST", "value": "sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea" }, { "name": "IMAGE_ARCH" }, { "name": "MAX_THREADS", "value": "8" } ], "image": "quay.io/konflux-ci/clamav-db:latest", "name": "extract-and-scan-image", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n mkdir -p ~/.docker\n echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n# $1: destination - path to the content to scan\n# $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n# $3: digest - digest to add to digests_processed array\n# $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n local destination=\"$1\"\n local suffix=\"$2\"\n local digest=\"$3\"\n local scan_message=\"${4:-Scanning content}\"\n\n db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n echo \"$scan_message. This operation may take a while.\"\n clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n digests_processed+=(\"\\\"$digest\\\"\")\n\n if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n # OPA/EC requires structured data input, add clamAV log into json\n jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o json \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o appstudio \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n\n if [ -n \"$raw_manifest\" ]; then\n media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n # Determine if this is an OCI artifact (not a container image)\n # OCI artifacts typically have:\n # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n # - An explicit artifactType field that is not a container image type\n is_oci_artifact=false\n\n # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n is_oci_artifact=true\n fi\n\n # Check if artifactType is set and is not a container image type\n if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n is_oci_artifact=true\n fi\n\n if [ \"$is_oci_artifact\" = true ]; then\n # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n # This looks like a container image manifest, but get_image_manifests failed\n echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n note=\"Task clamav-scan-min failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n else\n # Likely an OCI artifact with non-standard media type\n echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n fi\n else\n echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n note=\"Task clamav-scan-min failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n echo \"Detected container image. Processing image manifests.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n # Proceed only if a specific arch is provided.\n # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n if [ -n \"$IMAGE_ARCH\" ]; then\n arch=\"${IMAGE_ARCH#*/}\"\n if [ \"${arch}\" = \"x86_64\" ]; then\n arch=\"amd64\"\n fi\n\n # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n arch=\"amd64\"\n ;;\n esac\n\n image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n fi\n\n while read -r arch arch_sha; do\n destination=$(echo content-$arch)\n mkdir -p \"$destination\"\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n if [ $? -ne 0 ]; then\n echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n exit 0\n fi\n\n # Scan and process container image for this architecture\n scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n {\n \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n \"namespace\" : $item.namespace,\n \"successes\" : (.successes + $item.successes),\n \"failures\" : (.failures + $item.failures),\n \"warnings\" : (.warnings + $item.warnings),\n \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_UPLOAD", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85" }, { "name": "IMAGE_DIGEST", "value": "sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n echo \"Upload skipped by parameter.\"\n exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n MEDIA_TYPE=text/vnd.clamav\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n MEDIA_TYPE=application/vnd.konflux.test_output+json\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n echo \"No files found. Skipping upload.\"\n exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n", "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" } ], "volumes": [ { "emptyDir": {}, "name": "dbfolder" }, { "emptyDir": {}, "name": "work" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/tree/db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/commit_sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/target_branch": "multi-component-parent-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bylibv", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-parent-rexo-on-push-jsrmh", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-parent-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-parent-rexo' into 'multi-component-parent-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/commit/db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090806", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090806", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/ec410ceb-11bf-405b-a10b-0e280130c3a8/records/7d0f7e86-acaa-434d-9f94-feed37364ee9", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-parent-twjokv\",\"commit\":\"db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/ec410ceb-11bf-405b-a10b-0e280130c3a8", "results.tekton.dev/stored": "true", "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone oci trusted artifacts", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-52bddfe8e2a8557a597db9d1f8b085c3-ebafa2976ed44d16-01\"}" }, "creationTimestamp": "2026-05-11T11:36:45Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-parent-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-parent-rexo-on-push-jsrmh", "tekton.dev/pipelineRun": "gl-multi-component-parent-rexo-on-push-jsrmh", "tekton.dev/pipelineRunUID": "ec410ceb-11bf-405b-a10b-0e280130c3a8", "tekton.dev/pipelineTask": "clone-repository", "tekton.dev/task": "git-clone-oci-ta-min" }, "name": "gl-multi-component-parent-rexo-on-push-jsrmh-clone-repository", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-parent-rexo-on-push-jsrmh", "uid": "ec410ceb-11bf-405b-a10b-0e280130c3a8" } ], "resourceVersion": "77077", "uid": "7d0f7e86-acaa-434d-9f94-feed37364ee9" }, "spec": { "params": [ { "name": "url", "value": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv" }, { "name": "revision", "value": "db262f1446e088880fcfd4b2e13afdcaae70ad85" }, { "name": "ociStorage", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85.git" }, { "name": "ociArtifactExpiresAfter", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskRef": { "params": [ { "name": "name", "value": "git-clone-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min:0.1@sha256:ad1487d03967da7e9e032ba47b094ebf7e46c8e6f5d47faa9f8c15e1617fb208" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "basic-auth", "secret": { "secretName": "pac-gitauth-bylibv" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:36:55Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:36:55Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-parent-rb0b0543f4484cab384eaa821b6d1f1ee-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "ad1487d03967da7e9e032ba47b094ebf7e46c8e6f5d47faa9f8c15e1617fb208" }, "entryPoint": "git-clone-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min" } }, "results": [ { "name": "CHAINS-GIT_COMMIT", "type": "string", "value": "db262f1446e088880fcfd4b2e13afdcaae70ad85" }, { "name": "CHAINS-GIT_URL", "type": "string", "value": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv" }, { "name": "commit", "type": "string", "value": "db262f1446e088880fcfd4b2e13afdcaae70ad85" }, { "name": "commit-timestamp", "type": "string", "value": "1778499391" }, { "name": "short-commit", "type": "string", "value": "db262f1" }, { "name": "url", "type": "string", "value": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:135c7777e0b3399e176a36d0352959b2abdf621af3993e71d633f75b541d368b" } ], "spanContext": { "traceparent": "00-52bddfe8e2a8557a597db9d1f8b085c3-ebafa2976ed44d16-01" }, "startTime": "2026-05-11T11:36:45Z", "steps": [ { "container": "step-clone", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "provenance": {}, "terminated": { "containerID": "cri-o://982310ff0e9f77ac529c3a2dc17903263b1ddd5d800ef4570e6b78f3c4a93623", "exitCode": 0, "finishedAt": "2026-05-11T11:36:52Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-parent-twjokv\",\"type\":1},{\"key\":\"commit\",\"value\":\"db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778499391\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"db262f1\",\"type\":1},{\"key\":\"url\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-parent-twjokv\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:36:52Z" }, "terminationReason": "Completed" }, { "container": "step-symlink-check", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "provenance": {}, "terminated": { "containerID": "cri-o://0ea7a2f01f1d8c3307937ae0964c37d5eca55a48e8751d16425d17a9d6ad339c", "exitCode": 0, "finishedAt": "2026-05-11T11:36:53Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-parent-twjokv\",\"type\":1},{\"key\":\"commit\",\"value\":\"db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778499391\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"db262f1\",\"type\":1},{\"key\":\"url\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-parent-twjokv\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:36:53Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "create-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://54ae609488a8a4f00983279254d823b621dfceae6acb97ea8d6d1fd3d6decaf0", "exitCode": 0, "finishedAt": "2026-05-11T11:36:54Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-parent-twjokv\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:135c7777e0b3399e176a36d0352959b2abdf621af3993e71d633f75b541d368b\",\"type\":1},{\"key\":\"commit\",\"value\":\"db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778499391\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"db262f1\",\"type\":1},{\"key\":\"url\",\"value\":\"https://gitlab.com/konflux-qe/build-nudge-parent-twjokv\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:36:53Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted artifact in the provided OCI repository.", "params": [ { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" } ], "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "PARAM_URL", "value": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv" }, { "name": "PARAM_REVISION", "value": "db262f1446e088880fcfd4b2e13afdcaae70ad85" }, { "name": "PARAM_REFSPEC" }, { "name": "PARAM_SUBMODULES", "value": "true" }, { "name": "PARAM_SUBMODULE_PATHS" }, { "name": "PARAM_DEPTH", "value": "1" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "7" }, { "name": "PARAM_SSL_VERIFY", "value": "true" }, { "name": "PARAM_HTTP_PROXY" }, { "name": "PARAM_HTTPS_PROXY" }, { "name": "PARAM_NO_PROXY" }, { "name": "PARAM_VERBOSE", "value": "false" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES" }, { "name": "PARAM_USER_HOME", "value": "/tekton/home" }, { "name": "PARAM_FETCH_TAGS", "value": "false" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "false" }, { "name": "PARAM_TARGET_BRANCH", "value": "main" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL" }, { "name": "PARAM_MERGE_SOURCE_DEPTH" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "false" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "true" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH", "value": "/workspace/basic-auth" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ]; then\n set -x\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ]; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e\"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e\"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ]; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n\n if ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit 1\n fi\n\n # Check if there are changes staged for commit\n if git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\n else\n echo \"Merge successful (no conflicts found), committing...\"\n if ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit 1\n fi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e\"/tekton/results/merged_sha\"\n fi\n\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e\"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e\"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ]; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "true" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink; do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ]; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ]; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "args": [ "create", "--store", "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85.git", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "create-trusted-artifact", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/tree/db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/commit_sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/target_branch": "multi-component-parent-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bylibv", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-parent-rexo-on-push-jsrmh", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-parent-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-parent-rexo' into 'multi-component-parent-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/commit/db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090806", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090806", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/ec410ceb-11bf-405b-a10b-0e280130c3a8/records/83365fb9-a580-40c7-8453-b76fc9423c85", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-parent-twjokv\",\"commit\":\"db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/ec410ceb-11bf-405b-a10b-0e280130c3a8", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-52bddfe8e2a8557a597db9d1f8b085c3-3a48ad3b9c6cc102-01\"}" }, "creationTimestamp": "2026-05-11T11:36:39Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-parent-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-parent-rexo-on-push-jsrmh", "tekton.dev/pipelineRun": "gl-multi-component-parent-rexo-on-push-jsrmh", "tekton.dev/pipelineRunUID": "ec410ceb-11bf-405b-a10b-0e280130c3a8", "tekton.dev/pipelineTask": "init", "tekton.dev/task": "init" }, "name": "gl-multi-component-parent-rexo-on-push-jsrmh-init", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-parent-rexo-on-push-jsrmh", "uid": "ec410ceb-11bf-405b-a10b-0e280130c3a8" } ], "resourceVersion": "76688", "uid": "83365fb9-a580-40c7-8453-b76fc9423c85" }, "spec": { "params": [ { "name": "enable-cache-proxy", "value": "false" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskRef": { "params": [ { "name": "name", "value": "init" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:36:45Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:36:45Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-parent-rexo-on-push-jsrmh-init-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08" }, "entryPoint": "init", "uri": "quay.io/konflux-ci/tekton-catalog/task-init" } }, "results": [ { "name": "http-proxy", "type": "string", "value": "" }, { "name": "no-proxy", "type": "string", "value": "" } ], "spanContext": { "traceparent": "00-52bddfe8e2a8557a597db9d1f8b085c3-3a48ad3b9c6cc102-01" }, "startTime": "2026-05-11T11:36:39Z", "steps": [ { "container": "step-init", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "init", "provenance": {}, "terminated": { "containerID": "cri-o://1592858d44d80491b3368764f4f94a349039a9710db74095eddd71e853f30a6b", "exitCode": 0, "finishedAt": "2026-05-11T11:36:44Z", "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:36:44Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.", "params": [ { "default": "false", "description": "Enable cache proxy configuration", "name": "enable-cache-proxy", "type": "string" } ], "results": [ { "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)", "name": "http-proxy", "type": "string" }, { "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)", "name": "no-proxy", "type": "string" } ], "steps": [ { "args": [ "--enable", "false" ], "command": [ "konflux-build-cli", "config", "cache-proxy" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" }, { "name": "DEFAULT_HTTP_PROXY", "value": "squid.caching.svc.cluster.local:3128" }, { "name": "DEFAULT_NO_PROXY", "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai" }, { "name": "HTTP_PROXY_RESULTS_PATH", "value": "/tekton/results/http-proxy" }, { "name": "NO_PROXY_RESULTS_PATH", "value": "/tekton/results/no-proxy" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "init" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/tree/db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/commit_sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/target_branch": "multi-component-parent-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bylibv", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-parent-rexo-on-push-jsrmh", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-parent-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-parent-rexo' into 'multi-component-parent-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/commit/db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090806", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090806", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/ec410ceb-11bf-405b-a10b-0e280130c3a8/records/800eab38-f3bf-4254-9e04-510cb048fbe2", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-parent-twjokv\",\"commit\":\"db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/ec410ceb-11bf-405b-a10b-0e280130c3a8", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-52bddfe8e2a8557a597db9d1f8b085c3-1a2b07433d570f25-01\"}" }, "creationTimestamp": "2026-05-11T11:39:58Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-parent-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-parent-rexo-on-push-jsrmh", "tekton.dev/pipelineRun": "gl-multi-component-parent-rexo-on-push-jsrmh", "tekton.dev/pipelineRunUID": "ec410ceb-11bf-405b-a10b-0e280130c3a8", "tekton.dev/pipelineTask": "sast-shell-check", "tekton.dev/task": "sast-shell-check-oci-ta-min" }, "name": "gl-multi-component-parent-rexo-on-push-jsrmh-sast-shell-check", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-parent-rexo-on-push-jsrmh", "uid": "ec410ceb-11bf-405b-a10b-0e280130c3a8" } ], "resourceVersion": "84115", "uid": "800eab38-f3bf-4254-9e04-510cb048fbe2" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:135c7777e0b3399e176a36d0352959b2abdf621af3993e71d633f75b541d368b" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskRef": { "params": [ { "name": "name", "value": "sast-shell-check-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min:0.1@sha256:ecfae10944b45b91988ddc6311c7232bf2c98ba73c5fc6261861ecfd33434db0" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:40:17Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:40:17Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-parent-r730ada0b2a3f211dde3f39374327e323-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "ecfae10944b45b91988ddc6311c7232bf2c98ba73c5fc6261861ecfd33434db0" }, "entryPoint": "sast-shell-check-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:40:15+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-52bddfe8e2a8557a597db9d1f8b085c3-1a2b07433d570f25-01" }, "startTime": "2026-05-11T11:39:58Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:0cf6c1640011bd02c158e2c4fe9f8c4656b9aa751c08fc879d0a99bfb87d0789", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://8ab2dd7ad9aa748ecb2f95aad3190617d8a10f4801931e9dee25e76a4d2f4ee9", "exitCode": 0, "finishedAt": "2026-05-11T11:40:04Z", "reason": "Completed", "startedAt": "2026-05-11T11:40:04Z" }, "terminationReason": "Completed" }, { "container": "step-sast-shell-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "sast-shell-check", "provenance": {}, "terminated": { "containerID": "cri-o://5ac3311cd1a0dd204d5915bfa7048e4c43fbafb71e888e0623f6652d8c82884e", "exitCode": 0, "finishedAt": "2026-05-11T11:40:15Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:40:15+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:40:05Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:6504e165b4e1411ca55069091a989fd27722a64ee0e3ec9fa7be5cf31d8b595f", "name": "upload", "provenance": {}, "terminated": { "containerID": "cri-o://c72e9a068ccc407dd2476e78c253240fa620225dd5a292d46a745d31e422327c", "exitCode": 0, "finishedAt": "2026-05-11T11:40:16Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:40:15+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:40:16Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "true", "description": "Whether to include important findings only", "name": "IMP_FINDINGS_ONLY", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Image digest to report findings for.", "name": "image-digest", "type": "string" }, { "default": "", "description": "Image URL.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:135c7777e0b3399e176a36d0352959b2abdf621af3993e71d633f75b541d368b=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "128m", "memory": "256Mi" }, "requests": { "cpu": "128m", "memory": "256Mi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "IMP_FINDINGS_ONLY", "value": "true" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-shell-check", "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/var/workdir/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c\"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n resolved_path=$(realpath -m \"$potential_path\")\n\n # ensure resolved path is still within SOURCE_CODE_DIR\n if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n ALL_TARGETS+=(\"$resolved_path\")\n else\n echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n exit 1\n fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n read -r quota period \u003c/sys/fs/cgroup/cpu.max\n if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n export SC_JOBS=$(((quota + period - 1) / period))\n echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n --mode=json\n --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n # predefined list of shellcheck important findings\n CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n CSGREP_OPTS+=(\n --event=\"$CSGREP_EVENT_FILTER\"\n )\nelse\n CSGREP_OPTS+=(\n --event=\"error|warning\"\n )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e\"$OUTPUT_FILE\"; then\n echo \"Error occurred while running 'run-shellcheck.sh'\"\n note=\"Task sast-shell-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e\"${OUTPUT_FILE}.filtered\" 2\u003e\"${OUTPUT_FILE}.error\"\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n else\n mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003eshellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check-oci-ta-min\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85" }, { "name": "IMAGE_DIGEST", "value": "sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n echo 'No image-url or image-digest param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n # Determine the media type based on the file extension\n if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n MEDIA_TYPE=\"application/json\"\n else\n MEDIA_TYPE=\"application/sarif+json\"\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"$IMAGE_URL\" \u003e\"$HOME/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"; then\n echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n exit 1\n fi\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/tree/db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/commit_sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/target_branch": "multi-component-parent-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bylibv", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-parent-rexo-on-push-jsrmh", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-parent-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-parent-rexo' into 'multi-component-parent-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/commit/db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090806", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090806", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/ec410ceb-11bf-405b-a10b-0e280130c3a8/records/e4916f83-9746-471d-b6a9-63846f0072d5", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-parent-twjokv\",\"commit\":\"db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/ec410ceb-11bf-405b-a10b-0e280130c3a8", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-52bddfe8e2a8557a597db9d1f8b085c3-d5d115b03a357506-01\"}" }, "creationTimestamp": "2026-05-11T11:39:58Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-parent-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-parent-rexo-on-push-jsrmh", "tekton.dev/pipelineRun": "gl-multi-component-parent-rexo-on-push-jsrmh", "tekton.dev/pipelineRunUID": "ec410ceb-11bf-405b-a10b-0e280130c3a8", "tekton.dev/pipelineTask": "sast-unicode-check", "tekton.dev/task": "sast-unicode-check-oci-ta-min" }, "name": "gl-multi-component-parent-rexo-on-push-jsrmh-sast-unicode-check", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-parent-rexo-on-push-jsrmh", "uid": "ec410ceb-11bf-405b-a10b-0e280130c3a8" } ], "resourceVersion": "83805", "uid": "e4916f83-9746-471d-b6a9-63846f0072d5" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:135c7777e0b3399e176a36d0352959b2abdf621af3993e71d633f75b541d368b" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskRef": { "params": [ { "name": "name", "value": "sast-unicode-check-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min:0.4@sha256:96badf0b06d83fc1e7cf50048f94091e257819ee537f063830541f9c97295200" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:40:09Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:40:09Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-parent-rfc0ca9d33cf0478ecb7a331561986bda-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "96badf0b06d83fc1e7cf50048f94091e257819ee537f063830541f9c97295200" }, "entryPoint": "sast-unicode-check-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:40:07+00:00\",\"note\":\"Task sast-unicode-check-oci-ta-min success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-52bddfe8e2a8557a597db9d1f8b085c3-d5d115b03a357506-01" }, "startTime": "2026-05-11T11:39:58Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:0cf6c1640011bd02c158e2c4fe9f8c4656b9aa751c08fc879d0a99bfb87d0789", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://9d1732dbb663826605e1dcf82d1e2e97a962c7e2e8853ee861f91512248a5906", "exitCode": 0, "finishedAt": "2026-05-11T11:40:05Z", "reason": "Completed", "startedAt": "2026-05-11T11:40:04Z" }, "terminationReason": "Completed" }, { "container": "step-sast-unicode-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "sast-unicode-check", "provenance": {}, "terminated": { "containerID": "cri-o://8d680f674bfcd9ec8303a3609bb02aa169367e18a13d8051e25d6acf45e6473c", "exitCode": 0, "finishedAt": "2026-05-11T11:40:07Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:40:07+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta-min success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:40:06Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:6504e165b4e1411ca55069091a989fd27722a64ee0e3ec9fa7be5cf31d8b595f", "name": "upload", "provenance": {}, "terminated": { "containerID": "cri-o://6f8bf9f90d074a04a6c32962d8d8a2a172f26d3ed5c49b0b278fce72ceab05c0", "exitCode": 0, "finishedAt": "2026-05-11T11:40:08Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:40:07+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta-min success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:40:07Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans source code for non-printable unicode characters in all text files.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "-p bidi -v -d -t", "description": "arguments for find-unicode-control command.", "name": "FIND_UNICODE_CONTROL_ARGS", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "description": "Image digest used for ORAS upload.", "name": "image-digest", "type": "string" }, { "description": "Image URL used for ORAS upload.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:135c7777e0b3399e176a36d0352959b2abdf621af3993e71d633f75b541d368b=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "128m", "memory": "256Mi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "FIND_UNICODE_CONTROL_ARGS", "value": "-p bidi -v -d -t" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_CODE_DIR", "value": "/var/workdir" }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-unicode-check", "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nOLD_IFS=\"$IFS\"\nIFS=\",\"\nfor d in $TARGET_DIRS; do\n ALL_TARGETS+=(\"${SOURCE_CODE_DIR}/source/${d}\")\ndone\nIFS=\"$OLD_IFS\"\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${ALL_TARGETS[@]}\" \\\n \u003eraw_sast_unicode_check_out.txt \\\n 2\u003eraw_sast_unicode_check_out.log ||\n FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n echo \"Failed to run find-unicode-control command\" \u003e\u00262\n cat raw_sast_unicode_check_out.log\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n --mode=json\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"${SCAN_PROP}\"\n --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003eprocessed_sast_unicode_check_out.json 2\u003eprocessed_sast_unicode_check_out.err; then\n echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n cat processed_sast_unicode_check_out.err\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # Build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n # Append --record-excluded option if RECORD_EXCLUDED is true\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003esast_unicode_check_out.json 2\u003esast_unicode_check_out.error\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n else\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003esast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n note=\"Task sast-unicode-check-oci-ta-min success: No finding was detected\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s sast_unicode_check_out.sarif ]]; then\n note=\"Task sast-unicode-check-oci-ta-min success: Some findings were detected, but filtered by known false positive\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n echo \"sast-unicode-check test failed because of the following issues:\"\n cat sast_unicode_check_out.json\n TEST_OUTPUT=\n parse_test_output \"sast-unicode-check-oci-ta-min\" sarif sast_unicode_check_out.sarif || true\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85" }, { "name": "IMAGE_DIGEST", "value": "sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n echo 'No image-url param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n MEDIA_TYPE=application/json\n else\n MEDIA_TYPE=application/sarif+json\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"${IMAGE_URL}\" \u003e\"${HOME}/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/tree/db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/commit_sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/target_branch": "multi-component-parent-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bylibv", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-parent-rexo-on-push-jsrmh", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-parent-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-multi-component-parent-rexo' into 'multi-component-parent-base-rexo'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/commit/db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090806", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090806", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/ec410ceb-11bf-405b-a10b-0e280130c3a8/records/3b716870-8a15-458d-b6b2-d44a35542fae", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-parent-twjokv\",\"commit\":\"db262f1446e088880fcfd4b2e13afdcaae70ad85\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-fnyl/results/ec410ceb-11bf-405b-a10b-0e280130c3a8", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-52bddfe8e2a8557a597db9d1f8b085c3-a9986ef13d6166b3-01\"}" }, "creationTimestamp": "2026-05-11T11:39:58Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-parent-rexo", "kueue.x-k8s.io/priority-class": "konflux-post-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-push", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sha": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-parent-rexo-on-push-jsrmh", "tekton.dev/pipelineRun": "gl-multi-component-parent-rexo-on-push-jsrmh", "tekton.dev/pipelineRunUID": "ec410ceb-11bf-405b-a10b-0e280130c3a8", "tekton.dev/pipelineTask": "tpa-scan", "tekton.dev/task": "tpa-scan" }, "name": "gl-multi-component-parent-rexo-on-push-jsrmh-tpa-scan", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-parent-rexo-on-push-jsrmh", "uid": "ec410ceb-11bf-405b-a10b-0e280130c3a8" } ], "resourceVersion": "83956", "uid": "3b716870-8a15-458d-b6b2-d44a35542fae" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskRef": { "params": [ { "name": "name", "value": "tpa-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan:0.1@sha256:68b6e188f742da92af9c40a794fd021a65d49b419d1e36096277b2d9ebbe1afc" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:40:12Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:40:12Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-component-parent-rexo-on-push-jsrmh-tpa-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "68b6e188f742da92af9c40a794fd021a65d49b419d1e36096277b2d9ebbe1afc" }, "entryPoint": "tpa-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85\", \"digests\": [\"sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\"]}}\n" }, { "name": "REPORTS", "type": "string", "value": "{\"sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\":\"sha256:484ae0ddc44f35f0ceb21f7950b3638a985198fa7b3c10d30f726b97c535a596\"}\n" }, { "name": "SCAN_OUTPUT", "type": "string", "value": "{\"vulnerabilities\":{\"critical\":4,\"high\":28,\"medium\":53,\"low\":9,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:40:11+00:00\",\"note\":\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-52bddfe8e2a8557a597db9d1f8b085c3-a9986ef13d6166b3-01" }, "startTime": "2026-05-11T11:39:58Z", "steps": [ { "container": "step-get-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "get-vulnerabilities", "provenance": {}, "terminated": { "containerID": "cri-o://c29d21b8e09dc1dd36076734d2f7f9279cf329f3c5a97282890e274c43c4923f", "exitCode": 0, "finishedAt": "2026-05-11T11:40:06Z", "reason": "Completed", "startedAt": "2026-05-11T11:40:04Z" }, "terminationReason": "Completed" }, { "container": "step-oci-attach-report", "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "provenance": {}, "terminated": { "containerID": "cri-o://44b5dedfbd1987c178203dfa0a39495e70e113b50b37ff4d14db5bb7524e11a0", "exitCode": 0, "finishedAt": "2026-05-11T11:40:09Z", "reason": "Completed", "startedAt": "2026-05-11T11:40:06Z" }, "terminationReason": "Completed" }, { "container": "step-conftest-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "conftest-vulnerabilities", "provenance": {}, "terminated": { "containerID": "cri-o://826f670326fee0b54ee763c6c1b6ee0c2522ce9b3b1680c44e59d962cc8194dd", "exitCode": 0, "finishedAt": "2026-05-11T11:40:11Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85\\\", \\\"digests\\\": [\\\"sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea\\\":\\\"sha256:484ae0ddc44f35f0ceb21f7950b3638a985198fa7b3c10d30f726b97c535a596\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":4,\\\"high\\\":28,\\\"medium\\\":53,\\\"low\\\":9,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:40:11+00:00\\\",\\\"note\\\":\\\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:40:09Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans container images for vulnerabilities using the TPA vulnerability scanner, by comparing the components of container image against the vulnerability databases.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "The platform which will be scanned by this task.", "name": "image-platform", "type": "string" }, { "default": "https://exhort.stage.devshift.net/api/v5/analysis", "description": "The url of the TPA instance which will be used for scanning.", "name": "tpa-url", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-oci-attach-report", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "TPA scan result.", "name": "SCAN_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" }, { "description": "Mapping of image digests to report digests", "name": "REPORTS", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "computeResources": { "limits": { "cpu": "800m", "memory": "2Gi" }, "requests": { "cpu": "800m", "memory": "2Gi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85" }, { "name": "IMAGE_DIGEST", "value": "sha256:f5af1e038a125516433fe1078b8bcfe0e31ad4a73f5044cc00431636aa9a65ea" }, { "name": "IMAGE_PLATFORM" }, { "name": "TPA_URL", "value": "https://exhort.stage.devshift.net/api/v5/analysis" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "imagePullPolicy": "Always", "name": "get-vulnerabilities", "script": "#!/usr/bin/env bash\n\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\necho \"Inspecting raw image manifest $imageanddigest.\"\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\necho \"Selecting auth\"\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${imageanddigest}\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n done\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task tpa-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n\ntpa_scan() {\n local sbom_file=${1}\n local arch=${2}\n local sbom_format\n\n sbom_format=$(jq -r 'if .bomFormat == \"CycloneDX\" then \"cyclonedx\" else \"spdx\" end' \u003c \"${sbom_file}\")\n retry curl -f --show-error -L -X POST -T \"${sbom_file}\" -H \"Content-Type:application/vnd.${sbom_format}+json\" \"${TPA_URL}\" | tee \"tpa-report-${arch}.json\";\n}\n\nrun_tpa_on_arch() {\n local arch=\"$1\"\n local sha_file=\"image-manifest-${arch}.sha\"\n local sbom_file_path=\"/tmp/sbom-${arch}.json\"\n local arch_sha=\"\"\n\n if [ -e \"${sha_file}\" ]; then\n arch_sha=$(\u003c\"${sha_file}\")\n arch_imageanddigest=$(echo -n \"${imagewithouttag}@${arch_sha}\")\n else\n echo \"Couldn't find the SHA file for the requested architecture.\"\n exit 1\n fi\n\n echo \"Selecting auth\"\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${arch_imageanddigest}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n # Attempt to download the SBOM file via cosign\n\n if ! retry cosign download sbom \"${arch_imageanddigest}\" \u003e \"${sbom_file_path}\"; then\n echo \"Unable to download SBOM for the architecture ${arch}.\"\n exit 1\n fi\n\n if [ -e \"${sbom_file_path}\" ]; then\n local arch_sha\n arch_sha=$(\u003c\"$sha_file\")\n\n echo \"Running TPA scan on $arch image manifest...\"\n tpa_scan \"${sbom_file_path}\" \"$arch\" || true\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n else\n echo \"Couldn't find the SBOM file for the requested ${arch} architecture.\"\n exit 1\n fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run the tpa scan on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n # Validate against supported arch list. If it's not a known arch, fallback to amd64\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 1\n ;;\n esac\n\n run_tpa_on_arch \"$arch\"\n\n# If no platform is specified, run TPA scan on all available image manifests\nelse\n for sha_file in image-manifest-*.sha; do\n if [ -e \"$sha_file\" ]; then\n arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n run_tpa_on_arch \"$arch\"\n fi\n done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_OCI_ATTACH_REPORT", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n echo 'OCI attach report skipped by parameter.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nif ! compgen -G \"tpa-report-*.json\" \u003e /dev/null; then\n echo 'No TPA reports generated. Skipping upload.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n report_file=\"$1\"\n arch=\"${report_file/*-}\"\n echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.tpa-report+json'\n\nreports_json=\"{}\"\nfor f in tpa-report-*.json; do\n digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n image_ref=\"${repository}@${digest}\"\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${image_ref}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n echo \"Attaching $f to ${image_ref}\"\n if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n \"/tmp/auth/config.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n then\n echo \"Failed to attach ${f} to ${image_ref}\"\n exit 1\n fi\n # shellcheck disable=SC2016\n reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/redhat-user-workloads/rhtap-integration-tenant/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "conftest-vulnerabilities", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\ntpa_result_files=$(ls /tekton/home/tpa-report-*.json 2\u003e/dev/null || true)\nif [ -z \"$tpa_result_files\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: No tpa-report files found in /tekton/home.\"\n exit 1\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $tpa_result_files; do\n file_suffix=$(basename \"$file\" | sed 's/tpa-report-//;s/.json//')\n if [ ! -s \"$file\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n else\n /usr/bin/conftest test --no-fail $file \\\n --policy /project/rhtpa/vulnerabilities-check.rego --namespace required_checks \\\n --output=json | tee /tekton/home/tpa-vulnerabilities-\"${file_suffix}\".json || true\n fi\n\n #check for missing \"tpa-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n if [ ! -f \"/tekton/home/tpa-vulnerabilities-$file_suffix.json\" ]; then\n missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/tpa-vulnerabilities-$file_suffix.json\"\n fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n note=\"Task tpa-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/tpa-vulnerabilities-*.json; do\n result=$(jq -rce \\\n '{\n vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n },\n unpatched_vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n }\n }' \"$file\")\n\n scan_result=$(jq -s -rce \\\n '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/tree/a4ffc1f03a6b1d97283b12282412840055fc92a8", "build.appstudio.redhat.com/commit_sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "build.appstudio.redhat.com/pull_request_number": "1", "build.appstudio.redhat.com/target_branch": "multi-component-parent-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "Merge Request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vbxbvj", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-parent-rexo-on-pull-request-phvwk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-parent-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/commit/a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/source-branch": "konflux-gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090806", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090806", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72/records/f0d7c991-76a6-44fa-aeb4-a6e10e657b49", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-parent-twjokv\",\"commit\":\"a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"eventType\":\"Merge Request\",\"pull_request-id\":1}", "results.tekton.dev/result": "build-e2e-fnyl/results/ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-131fd24f9dcfacc403d70387aa8147ad-e1805fa4db903de4-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-gl-multi-component-parent-rexo" }, "creationTimestamp": "2026-05-11T11:29:23Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-parent-rexo", "build.appstudio.redhat.com/build_type": "docker", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/event-type": "Merge_Request", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "tekton.dev/pipelineRun": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "tekton.dev/pipelineRunUID": "ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72", "tekton.dev/pipelineTask": "build-container", "tekton.dev/task": "buildah-oci-ta-min", "test.appstudio.openshift.io/pr-group-sha": "2778624c4a783d65d3c448c05b3262242550994fa145dbeb5c211458cf2137" }, "name": "gl-multi-componfaac7f96143ff37f9d4607fcb669791b-build-container", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "uid": "ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72" } ], "resourceVersion": "68234", "uid": "f0d7c991-76a6-44fa-aeb4-a6e10e657b49" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8" }, { "name": "DOCKERFILE", "value": "Dockerfile" }, { "name": "CONTEXT", "value": "." }, { "name": "HERMETIC", "value": "false" }, { "name": "PREFETCH_INPUT", "value": "" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "6h" }, { "name": "COMMIT_SHA", "value": "a4ffc1f03a6b1d97283b12282412840055fc92a8" }, { "name": "BUILD_ARGS", "value": [] }, { "name": "BUILD_ARGS_FILE", "value": "" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SOURCE_URL", "value": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "HTTP_PROXY", "value": "" }, { "name": "NO_PROXY", "value": "" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:422b19ebe154c353b0114171718af5c00ba3eedf4cfb158f6b8b6c02f501ac07" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskRef": { "params": [ { "name": "name", "value": "buildah-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min:0.9@sha256:97c0d0ac1d508a70f8610c7dc79de453a990414fba7d7e0f8d21ec22f5796d96" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:32:47Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:32:47Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-componfaac7f96143faa684a9c4361a2b136f1c8a927b281b0-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "97c0d0ac1d508a70f8610c7dc79de453a990414fba7d7e0f8d21ec22f5796d96" }, "entryPoint": "buildah-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min" } }, "results": [ { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8@sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8" }, { "name": "SBOM_BLOB_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:63b8e108c3f928e634b1867062f09dcd5bef900a2b25648c46523d1955be69e1" } ], "spanContext": { "traceparent": "00-131fd24f9dcfacc403d70387aa8147ad-e1805fa4db903de4-01" }, "startTime": "2026-05-11T11:29:24Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://461b41a4ef8e9e5234ce5fcfceaff6deaa9369ede451781710811e252314a155", "exitCode": 0, "finishedAt": "2026-05-11T11:30:27Z", "reason": "Completed", "startedAt": "2026-05-11T11:30:27Z" }, "terminationReason": "Completed" }, { "container": "step-build", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "build", "provenance": {}, "terminated": { "containerID": "cri-o://23ed73af45a2ae4bc3c2eebf6cefcf50ad0dbc551394f7125de7aec5c0d9fadf", "exitCode": 0, "finishedAt": "2026-05-11T11:30:46Z", "reason": "Completed", "startedAt": "2026-05-11T11:30:28Z" }, "terminationReason": "Completed" }, { "container": "step-push", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "push", "provenance": {}, "terminated": { "containerID": "cri-o://80c15a8e34a0c6ee863e8e70be3b97ebdd52c43834fc9927d90b9e4e5d526334", "exitCode": 0, "finishedAt": "2026-05-11T11:31:43Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8@sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:30:46Z" }, "terminationReason": "Completed" }, { "container": "step-sbom-syft-generate", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "sbom-syft-generate", "provenance": {}, "terminated": { "containerID": "cri-o://5c487927de46f4ef318f75c00ad42f44af12e91ae2ed8179a26d93dfc2b50776", "exitCode": 0, "finishedAt": "2026-05-11T11:32:01Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8@sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:31:43Z" }, "terminationReason": "Completed" }, { "container": "step-prepare-sboms", "imageID": "quay.io/konflux-ci/mobster@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "provenance": {}, "terminated": { "containerID": "cri-o://105208bd6dc03ee791fa7db8b07944534aff9a7be68443e178be6e016ec697d7", "exitCode": 0, "finishedAt": "2026-05-11T11:32:21Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8@sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:32:01Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://3aabe89576914750d67c6210f8dd7b37ffcf29b4576ec6e531ff1c0a9ccccae8", "exitCode": 0, "finishedAt": "2026-05-11T11:32:47Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8@sha256:9bd44d0cfbd50450edb7cebac1658fad4a7a4645756c960f521fa5969d3d997c\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:63b8e108c3f928e634b1867062f09dcd5bef900a2b25648c46523d1955be69e1\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:32:21Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "default": [], "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings", "name": "ADDITIONAL_BASE_IMAGES", "type": "array" }, { "default": "does-not-exist", "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET", "name": "ADDITIONAL_SECRET", "type": "string" }, { "default": "", "description": "Comma separated list of extra capabilities to add when running 'buildah build'", "name": "ADD_CAPABILITIES", "type": "string" }, { "default": [], "description": "Additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS", "type": "array" }, { "default": "", "description": "Path to a file with additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS_FILE", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": [], "description": "Array of --build-arg values (\"arg=value\" strings)", "name": "BUILD_ARGS", "type": "array" }, { "default": "", "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file", "name": "BUILD_ARGS_FILE", "type": "string" }, { "default": "", "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.", "name": "BUILD_TIMESTAMP", "type": "string" }, { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "", "description": "The image is built from this commit.", "name": "COMMIT_SHA", "type": "string" }, { "default": ".", "description": "Path to the directory to use as context.", "name": "CONTEXT", "type": "string" }, { "default": "true", "description": "Determines if SBOM will be contextualized.", "name": "CONTEXTUALIZE_SBOM", "type": "string" }, { "default": "./Dockerfile", "description": "Path to the Dockerfile to build.", "name": "DOCKERFILE", "type": "string" }, { "default": "etc-pki-entitlement", "description": "Name of secret which contains the entitlement certificates", "name": "ENTITLEMENT_SECRET", "type": "string" }, { "default": [], "description": "Array of --env values (\"env=value\" strings)", "name": "ENV_VARS", "type": "array" }, { "default": "false", "description": "Determines if build will be executed without network access.", "name": "HERMETIC", "type": "string" }, { "default": "", "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.", "name": "HTTP_PROXY", "type": "string" }, { "default": "true", "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection", "name": "ICM_KEEP_COMPAT_LOCATION", "type": "string" }, { "description": "Reference of the image buildah will produce.", "name": "IMAGE", "type": "string" }, { "default": "", "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.", "name": "IMAGE_EXPIRES_AFTER", "type": "string" }, { "default": "true", "description": "Determines if the image inherits the base image labels.", "name": "INHERIT_BASE_IMAGE_LABELS", "type": "string" }, { "default": [], "description": "Additional key=value labels that should be applied to the image", "name": "LABELS", "type": "array" }, { "default": "", "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.", "name": "NO_PROXY", "type": "string" }, { "default": "false", "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.", "name": "OMIT_HISTORY", "type": "string" }, { "default": "", "description": "In case it is not empty, the prefetched content should be made available to the build.", "name": "PREFETCH_INPUT", "type": "string" }, { "default": "false", "description": "Whether to enable privileged mode, should be used only with remote VMs", "name": "PRIVILEGED_NESTED", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.", "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "caching-ca-bundle", "description": "The name of the ConfigMap to read proxy CA bundle data from.", "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "false", "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.", "name": "REWRITE_TIMESTAMP", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.", "name": "SBOM_SOURCE_SCAN_ENABLED", "type": "string" }, { "default": "", "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection", "name": "SBOM_SYFT_SELECT_CATALOGERS", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.", "name": "SBOM_TYPE", "type": "string" }, { "default": "false", "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.", "name": "SKIP_INJECTIONS", "type": "string" }, { "default": "false", "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled", "name": "SKIP_SBOM_GENERATION", "type": "string" }, { "default": "true", "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages", "name": "SKIP_UNUSED_STAGES", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "", "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.", "name": "SOURCE_DATE_EPOCH", "type": "string" }, { "default": "", "description": "The image is built from this URL.", "name": "SOURCE_URL", "type": "string" }, { "default": "false", "description": "Squash all new and previous layers added as a part of this build, as per --squash", "name": "SQUASH", "type": "string" }, { "default": "overlay", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "", "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.", "name": "TARGET_STAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "default": "", "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).", "name": "WORKINGDIR_MOUNT", "type": "string" }, { "default": "fetched.repos.d", "description": "Path in source workspace where dynamically-fetched repos are present", "name": "YUM_REPOS_D_FETCHED", "type": "string" }, { "default": "repos.d", "description": "Path in the git repository in which yum repository files are stored", "name": "YUM_REPOS_D_SRC", "type": "string" }, { "default": "/etc/yum.repos.d", "description": "Target path on the container in which yum repository files should be made available", "name": "YUM_REPOS_D_TARGET", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image reference of the built image", "name": "IMAGE_REF", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "ACTIVATION_KEY", "value": "activation-key" }, { "name": "ADDITIONAL_SECRET", "value": "does-not-exist" }, { "name": "ADD_CAPABILITIES" }, { "name": "ANNOTATIONS_FILE" }, { "name": "BUILD_ARGS_FILE" }, { "name": "BUILD_TIMESTAMP" }, { "name": "CONTEXT", "value": "." }, { "name": "CONTEXTUALIZE_SBOM", "value": "true" }, { "name": "ENTITLEMENT_SECRET", "value": "etc-pki-entitlement" }, { "name": "HERMETIC", "value": "false" }, { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "6h" }, { "name": "INHERIT_BASE_IMAGE_LABELS", "value": "true" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SBOM_SKIP_VALIDATION", "value": "true" }, { "name": "SBOM_SOURCE_SCAN_ENABLED", "value": "true" }, { "name": "SBOM_SYFT_SELECT_CATALOGERS" }, { "name": "SBOM_TYPE", "value": "spdx" }, { "name": "SKIP_INJECTIONS", "value": "false" }, { "name": "SKIP_SBOM_GENERATION", "value": "false" }, { "name": "SKIP_UNUSED_STAGES", "value": "true" }, { "name": "SOURCE_CODE_DIR", "value": "source" }, { "name": "SQUASH", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "overlay" }, { "name": "TARGET_STAGE" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "WORKINGDIR_MOUNT" }, { "name": "YUM_REPOS_D_FETCHED", "value": "fetched.repos.d" }, { "name": "YUM_REPOS_D_SRC", "value": "repos.d" }, { "name": "YUM_REPOS_D_TARGET", "value": "/etc/yum.repos.d" } ], "imagePullPolicy": "IfNotPresent", "volumeMounts": [ { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:422b19ebe154c353b0114171718af5c00ba3eedf4cfb158f6b8b6c02f501ac07=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "args": [ "--build-args", "--env", "--labels", "--annotations" ], "computeResources": { "limits": { "cpu": "500m", "memory": "1Gi" }, "requests": { "cpu": "500m", "memory": "1Gi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "COMMIT_SHA", "value": "a4ffc1f03a6b1d97283b12282412840055fc92a8" }, { "name": "SOURCE_URL", "value": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv" }, { "name": "DOCKERFILE", "value": "Dockerfile" }, { "name": "BUILDAH_HTTP_PROXY" }, { "name": "BUILDAH_NO_PROXY" }, { "name": "ICM_KEEP_COMPAT_LOCATION", "value": "true" }, { "name": "BUILDAH_OMIT_HISTORY", "value": "false" }, { "name": "BUILDAH_SOURCE_DATE_EPOCH" }, { "name": "BUILDAH_REWRITE_TIMESTAMP", "value": "false" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "build", "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n fi\n fi\n}\n\nfunction unset_proxy {\n echo \"[$(date --utc -Ins)] Unsetting proxy\"\n unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n\"$source_dir_path\" | \"$source_dir_path/\"*)\n # path is valid, do nothing\n ;;\n*)\n echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n echo \"Source path: $source_dir_path\" \u003e\u00262\n echo \"Resolved path: $context_dir_path\" \u003e\u00262\n exit 1\n ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n # Instrumented builds (SAST) use this custom dockerfile step as their base\n dockerfile_path=\"$DOCKERFILE\"\nelse\n echo \"Cannot find Dockerfile $DOCKERFILE\"\n exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e/etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n while IFS= read -r line || [[ -n \"$line\" ]]; do\n # Skip empty lines and comments\n if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n ANNOTATIONS+=(\"--annotation\" \"$line\")\n fi\n done \u003c\"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --build-args)\n shift\n # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n build_args+=(\"$1\")\n shift\n done\n ;;\n --env)\n shift\n # Collect env entries of the form KEY=value\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n env_vars+=(\"$1\")\n shift\n done\n ;;\n --labels)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n LABELS+=(\"--label\" \"$1\")\n shift\n done\n ;;\n --annotations)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ANNOTATIONS+=(\"--annotation\" \"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e/shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--pull=never\")\n UNSHARE_ARGS+=(\"--net\")\n buildah_retries=3\n\n set_proxy\n\n for image in $BASE_IMAGES; do\n if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"; then\n echo \"Failed to pull base image ${image}\"\n exit 1\n fi\n done\n\n unset_proxy\n\n echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n BUILDAH_ARGS+=(\"--cap-add=all\")\n BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n fi\n if [ -n \"$BUILD_TIMESTAMP\" ]; then\n echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n exit 1\n fi\n # but do set it so that we get all the labels/annotations associated with it\n BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/var/workdir/cachi2/cachi2.env\" ]; then\n # Identify the current arch to filter the prefetched content\n PREFETCH_ARCH=\"$(uname -m)\"\n echo \"$PREFETCH_ARCH\" \u003e/shared/prefetch-arch\n\n echo \"Prefetched content will be made available\"\n\n cp -r \"/var/workdir/cachi2\" /tmp/\n chmod -R go+rwX /tmp/cachi2\n\n # In case RPMs were prefetched and this is a multi-arch build,\n # clean up the packages that do not match the architecture being built\n RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n echo \"Removing prefetched RPMs from non-matching architectures\"\n PREFETCH_ARCH=\"$(uname -m)\"\n for path in \"$RPM_PREFETCH_DIR\"/*; do\n if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n echo \"Removing: $path\"\n rm -rf \"$path\"\n else\n echo \"Keeping: $path\"\n fi\n done\n fi\n\n VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n sed -E -i \\\n -e 'H;1h;$!d;x' \\\n -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n @igM' \\\n \"$dockerfile_copy\"\n\n prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n mkdir -p \"$YUM_REPOS_D_FETCHED\"\n if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n fi\n fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n \"--label\" \"architecture=$(uname -m)\"\n \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n FINAL_BASE_IMAGE=$(\n # Get the base image of the final stage\n # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n # Run the find_root_stage() function on the final stage\n # If the final stage is scratch or oci-archive, return empty\n jq -r '.Stages as $all_stages |\n def find_root_stage($stage):\n if $stage.From.Stage then\n find_root_stage($all_stages[$stage.From.Stage.Index])\n else\n $stage\n end;\n\n find_root_stage(.Stages[-1]) |\n if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n empty\n else\n .BaseName\n end' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n )\n if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n set_proxy\n buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null$()\n unset_proxy\n buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n if [[ \"$label\" != \"--label\" ]]; then\n label_pairs+=(\"$label\")\n fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n echo \"\" \u003e\u003e\"$dockerfile_copy\"\n # Always write labels.json to the new standard location\n echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n # Conditionally write to the old location for backward compatibility\n if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n cp \"$containerignore\" \"$ignorefile_copy\"\n {\n echo \"\"\n echo \"!/labels.json\"\n echo \"!/content-sets.json\"\n } \u003e\u003e\"$ignorefile_copy\"\n BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n# to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n# shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n mkdir -p /shared/rhsm/etc/pki/entitlement\n mkdir -p /shared/rhsm/etc/pki/consumer\n\n VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key\n -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z\n -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n echo \"Adding activation key to the build\"\n\n if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n # user is not running registration in the Containerfile: pre-register.\n echo \"Pre-registering with subscription manager.\"\n export RETRY_MAX_TRIES=6\n if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"; then\n echo \"Subscription-manager register failed\"\n exit 1\n fi\n unset RETRY_MAX_TRIES\n trap 'subscription-manager unregister || true' EXIT\n\n # copy generated certificates to /shared volume\n cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e/dev/null; then\n cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n exit 1\n fi\n # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n # (we set the workdir using 'unshare -w')\n context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n # Instrumented builds (SAST) use this step as their base and add some other tools.\n while read -r volume_mount; do\n VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n done \u003c\u003c\u003c\"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n while read -r filename; do\n echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n buildah build\n \"${VOLUME_MOUNTS[@]}\"\n \"${BUILDAH_ARGS[@]}\"\n \"${LABELS[@]}\"\n \"${ANNOTATIONS[@]}\"\n --tls-verify=\"$TLSVERIFY\" --no-cache\n --ulimit nofile=4096:4096\n --http-proxy=false\n -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n echo \"Making copy of sbom-prefetch.json\"\n cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n # Get the image pullspec and filter out a tag if it is not set\n # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n # if buildah did not use that particular image during build because it was skipped\n if [ -n \"$base_image_digest\" ]; then\n echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci:$IMAGE\"\necho \"/shared/$image_name.oci\" \u003e/shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/entitlement", "name": "etc-pki-entitlement" }, { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/additional-secret", "name": "additional-secret" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/proxy-ca-bundle", "name": "proxy-ca-bundle", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "TASKRUN_NAME", "value": "gl-multi-componfaac7f96143ff37f9d4607fcb669791b-build-container" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "push", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n \"$IMAGE\" \\\n \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"; then\n echo \"Failed to push image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile \"/var/workdir/image-digest\" \"$IMAGE\" \\\n \"docker://$IMAGE\"; then\n echo \"Failed to push image to $IMAGE\"\n exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c\"/var/workdir\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n echo -n \"${IMAGE}@\"\n cat \"/var/workdir/image-digest\"\n} \u003e\"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"; then\n echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n [rekorInternalUrl]=REKOR_URL\n [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n [rekorInternalUrl]=rekorExternalUrl\n [fulcioInternalUrl]=fulcioExternalUrl\n [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n if [ -n \"${val}\" ]; then\n echo \"Using fallback ${fallback_key} instead of ${key}\"\n fi\n fi\n if [ -z \"${val}\" ]; then\n missing=\"${missing:+${missing}, }${key}\"\n else\n declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n configured=$((configured + 1))\n fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n echo \"Keyless signing is enabled\"\n\n # Save signing config for upload-sbom step\n for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n envvar=\"${SIGNING_KEY_MAP[$key]}\"\n printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n done \u003e/shared/signing-config.env\n\n echo \"Using Rekor URL: ${REKOR_URL}\"\n echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n echo \"[$(date --utc -Ins)] Sign image\"\n echo \"Signing image ${IMAGE_REF} using keyless signing\"\n if ! retry cosign sign -y \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign image\" \u003e\u00262\n exit 1\n fi\nelif [ \"${configured}\" -eq 0 ]; then\n echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "256m", "memory": "512Mi" }, "requests": { "cpu": "256m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "sbom-syft-generate", "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\ncase $SBOM_TYPE in\ncyclonedx)\n syft_sbom_type=cyclonedx-json@1.5\n ;;\nspdx)\n syft_sbom_type=spdx-json@2.3\n ;;\n*)\n echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n exit 1\n ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n oci-dir:\"${OCI_DIR}\"\n --output \"$syft_sbom_type=/var/workdir/sbom-image.json\"\n)\nsyft_source_args=(\n dir:\"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT\"\n --output \"$syft_sbom_type=/var/workdir/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n echo \"Running syft on the source code\"\n syft \"${syft_source_args[@]}\"\nelse\n echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" }, { "args": [ "--additional-base-images" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.2.0-1774868067@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --additional-base-images)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ADDITIONAL_BASE_IMAGES+=(\"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n generate\n --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-image\n --from-syft \"/var/workdir/sbom-image.json\"\n --image-pullspec \"$IMAGE_URL\"\n --image-digest \"$IMAGE_DIGEST\"\n --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/var/workdir/sbom-source.json\" ]; then\n mobster_args+=(--from-syft \"/var/workdir/sbom-source.json\")\nfi\n\nif [ -f \"/var/workdir/sbom-prefetch.json\" ]; then\n mobster_args+=(--from-hermeto \"/var/workdir/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n", "securityContext": { "runAsUser": 0 }, "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"; then\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n # shellcheck source=/dev/null\n source /shared/signing-config.env\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n # spdx export data as rawstring, we want structured json as cyclonedx\n ATT_SBOM_TYPE=\"spdxjson\"\n fi\n\n echo \"[$(date --utc -Ins)] Sign SBOM\"\n echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign SBOM\" \u003e\u00262\n exit 1\n fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "name": "additional-secret", "secret": { "optional": true, "secretName": "does-not-exist" } }, { "name": "etc-pki-entitlement", "secret": { "optional": true, "secretName": "etc-pki-entitlement" } }, { "name": "oidc-token", "projected": { "sources": [ { "serviceAccountToken": { "audience": "sigstore", "expirationSeconds": 600, "path": "oidc-token" } } ] } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "caching-ca-bundle", "optional": true }, "name": "proxy-ca-bundle" }, { "emptyDir": {}, "name": "shared" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "varlibcontainers" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/tree/a4ffc1f03a6b1d97283b12282412840055fc92a8", "build.appstudio.redhat.com/commit_sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "build.appstudio.redhat.com/pull_request_number": "1", "build.appstudio.redhat.com/target_branch": "multi-component-parent-base-rexo", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-parent-base-rexo", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "Merge Request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vbxbvj", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-fnyl/tekton.dev~v1~PipelineRun/gl-multi-component-parent-rexo-on-pull-request-phvwk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-parent-base-rexo\"", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv/-/commit/a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/source-branch": "konflux-gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/source-project-id": "82090806", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/build-nudge-parent-twjokv", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/target-project-id": "82090806", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72/records/688d7ce0-c150-4d93-90e9-a57db4364aac", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"build-nudge-parent-twjokv\",\"commit\":\"a4ffc1f03a6b1d97283b12282412840055fc92a8\",\"eventType\":\"Merge Request\",\"pull_request-id\":1}", "results.tekton.dev/result": "build-e2e-fnyl/results/ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-131fd24f9dcfacc403d70387aa8147ad-fad0997dddb872c4-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-gl-multi-component-parent-rexo" }, "creationTimestamp": "2026-05-11T11:28:36Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-component-update-tqpg", "appstudio.openshift.io/component": "gl-multi-component-parent-rexo", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/event-type": "Merge_Request", "pipelinesascode.tekton.dev/original-prname": "gl-multi-component-parent-rexo-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "gl-multi-component-parent-rexo", "pipelinesascode.tekton.dev/sha": "a4ffc1f03a6b1d97283b12282412840055fc92a8", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "tekton.dev/pipelineRun": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "tekton.dev/pipelineRunUID": "ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72", "tekton.dev/pipelineTask": "prefetch-dependencies", "tekton.dev/task": "prefetch-dependencies-oci-ta-min", "test.appstudio.openshift.io/pr-group-sha": "2778624c4a783d65d3c448c05b3262242550994fa145dbeb5c211458cf2137" }, "name": "gl-multi-faac7f96143ff37f9d4607fcb669791b-prefetch-dependencies", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-multi-component-parent-rexo-on-pull-request-phvwk", "uid": "ac66d9e2-3f2a-474c-a8d9-a0b1ba94ac72" } ], "resourceVersion": "63295", "uid": "688d7ce0-c150-4d93-90e9-a57db4364aac" }, "spec": { "params": [ { "name": "input", "value": "" }, { "name": "enable-package-registry-proxy", "value": "true" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:422b19ebe154c353b0114171718af5c00ba3eedf4cfb158f6b8b6c02f501ac07" }, { "name": "ociStorage", "value": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8.prefetch" }, { "name": "ociArtifactExpiresAfter", "value": "6h" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskRef": { "params": [ { "name": "name", "value": "prefetch-dependencies-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min:0.3@sha256:af12fee3a119b4099d18e19f81cd963a4077dc941da9e28ba82e43f656a65929" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "git-basic-auth", "secret": { "secretName": "pac-gitauth-vbxbvj" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:29:23Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:29:23Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-multi-faac7f96143ff37f9d6ad3880c66b1b23d8d7446abd169cfe6-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "af12fee3a119b4099d18e19f81cd963a4077dc941da9e28ba82e43f656a65929" }, "entryPoint": "prefetch-dependencies-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min" } }, "results": [ { "name": "CACHI2_ARTIFACT", "type": "string", "value": "" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:422b19ebe154c353b0114171718af5c00ba3eedf4cfb158f6b8b6c02f501ac07" } ], "spanContext": { "traceparent": "00-131fd24f9dcfacc403d70387aa8147ad-fad0997dddb872c4-01" }, "startTime": "2026-05-11T11:28:36Z", "steps": [ { "container": "step-skip-ta", "imageID": "registry.access.redhat.com/ubi9/ubi-minimal@sha256:8d0a8fb39ec907e8ca62cdd24b62a63ca49a30fe465798a360741fde58437a23", "name": "skip-ta", "provenance": {}, "terminated": { "containerID": "cri-o://72c2520c302651b20142fe42610b807bf4750fb7e75cd125c32b26fe21827a4e", "exitCode": 0, "finishedAt": "2026-05-11T11:28:42Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:422b19ebe154c353b0114171718af5c00ba3eedf4cfb158f6b8b6c02f501ac07\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:42Z" }, "terminationReason": "Completed" }, { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://614e39a4d127409287cfbc360ac085bf719ff9371c8cdb36d432d65417d97b2b", "exitCode": 0, "finishedAt": "2026-05-11T11:28:42Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:422b19ebe154c353b0114171718af5c00ba3eedf4cfb158f6b8b6c02f501ac07\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:42Z" }, "terminationReason": "Completed" }, { "container": "step-prefetch-dependencies", "imageID": "quay.io/konflux-ci/hermeto@sha256:4899755ffd1574547102a58469aea916822c7fd7825cbec8e477e1b57668a6d7", "name": "prefetch-dependencies", "provenance": {}, "terminated": { "containerID": "cri-o://4c03b524f3c033e4c91b33a1e9809736d8ce0e34c0a4c194d6a3f8b15e98c79c", "exitCode": 0, "finishedAt": "2026-05-11T11:29:21Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:422b19ebe154c353b0114171718af5c00ba3eedf4cfb158f6b8b6c02f501ac07\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:42Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "create-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://3c085e42cc3aa9a8671bbc534b8d98a8b40b8f8f1cbaa05a61cb17699907275e", "exitCode": 0, "finishedAt": "2026-05-11T11:29:22Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:422b19ebe154c353b0114171718af5c00ba3eedf4cfb158f6b8b6c02f501ac07\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:29:22Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Task that prefetches project dependencies for hermetic build.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "default": "service-ca.crt", "description": "The name of the key in the ConfigMap that contains the service CA bundle data. Used to verify TLS connections to in-cluster services such as the package registry proxy.", "name": "SERVICE_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "openshift-service-ca.crt", "description": "The name of the ConfigMap to read service CA bundle data from. Used to verify TLS connections to in-cluster services such as the package registry proxy.", "name": "SERVICE_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n", "name": "config-file-content", "type": "string" }, { "default": "true", "description": "Use the package registry proxy when prefetching dependencies", "name": "enable-package-registry-proxy", "type": "string" }, { "description": "Configures project packages that will have their dependencies prefetched.", "name": "input", "type": "string" }, { "default": "debug", "description": "Set the logging level (debug, info, warn, error, fatal).", "name": "log-level", "type": "string" }, { "default": "strict", "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).", "name": "mode", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.", "name": "sbom-type", "type": "string" } ], "results": [ { "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "computeResources": {}, "env": [ { "name": "INPUT" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:422b19ebe154c353b0114171718af5c00ba3eedf4cfb158f6b8b6c02f501ac07" } ], "image": "registry.access.redhat.com/ubi9/ubi-minimal:9.7-1777857961@sha256:8d0a8fb39ec907e8ca62cdd24b62a63ca49a30fe465798a360741fde58437a23", "name": "skip-ta", "script": "#!/bin/bash\n\nif [ -z \"${INPUT}\" ]; then\n mkdir -p /var/workdir/source\n mkdir -p /var/workdir/cachi2\n echo \"true\" \u003e/var/workdir/source/.skip-trusted-artifacts\n echo \"true\" \u003e/var/workdir/cachi2/.skip-trusted-artifacts\n echo -n \"${SOURCE_ARTIFACT}\" \u003e\"/tekton/results/SOURCE_ARTIFACT\"\n echo -n \"\" \u003e\"/tekton/results/CACHI2_ARTIFACT\"\nfi\n" }, { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo@sha256:422b19ebe154c353b0114171718af5c00ba3eedf4cfb158f6b8b6c02f501ac07=/var/workdir/source" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "use-trusted-artifact" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "debug" }, { "name": "KBC_PD_INPUT" }, { "name": "KBC_PD_SOURCE_DIR", "value": "/var/workdir/source" }, { "name": "KBC_PD_OUTPUT_DIR", "value": "/var/workdir/cachi2/output" }, { "name": "KBC_PD_SBOM_FORMAT", "value": "spdx" }, { "name": "KBC_PD_MODE", "value": "strict" }, { "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT", "value": "/cachi2/output" }, { "name": "KBC_PD_ENV_FILES", "value": "/var/workdir/cachi2/cachi2.env /var/workdir/cachi2/prefetch.env /var/workdir/cachi2/prefetch-env.json" }, { "name": "KBC_PD_GIT_AUTH_DIRECTORY", "value": "/workspace/git-basic-auth" }, { "name": "WORKSPACE_NETRC_PATH" }, { "name": "CONFIG_FILE_CONTENT" }, { "name": "KBC_PD_ENABLE_PACKAGE_REGISTRY_PROXY", "value": "true" } ], "image": "quay.io/konflux-ci/hermeto:0.51.0@sha256:4899755ffd1574547102a58469aea916822c7fd7825cbec8e477e1b57668a6d7", "name": "prefetch-dependencies", "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nSERVICE_CA_BUNDLE_PATH=/mnt/service-ca/ca-bundle.crt\nUPDATE_CA_TRUST=false\n\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n echo \"Using mounted CA bundle: $CA_BUNDLE_PATH\"\n cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n UPDATE_CA_TRUST=true\nfi\n\nif [ -f \"$SERVICE_CA_BUNDLE_PATH\" ]; then\n echo \"Using mounted service CA bundle: $SERVICE_CA_BUNDLE_PATH\"\n cp -vf \"$SERVICE_CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/service-ca.crt\n UPDATE_CA_TRUST=true\nfi\n\nif [ \"$UPDATE_CA_TRUST\" = \"true\" ]; then\n update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n export KBC_PD_RHSM_ORG=/activation-key/org\n export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n echo \"${CONFIG_FILE_CONTENT}\" \u003e/mnt/config/config.yaml\n export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n", "volumeMounts": [ { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/mnt/config", "name": "config" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/service-ca", "name": "service-ca", "readOnly": true } ] }, { "args": [ "create", "--store", "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:on-pr-a4ffc1f03a6b1d97283b12282412840055fc92a8.prefetch", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source", "/tekton/results/CACHI2_ARTIFACT=/var/workdir/cachi2" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "6h" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "create-trusted-artifact" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "emptyDir": {}, "name": "config" }, { "configMap": { "items": [ { "key": "service-ca.crt", "path": "ca-bundle.crt" } ], "name": "openshift-service-ca.crt", "optional": true }, "name": "service-ca" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n", "name": "git-basic-auth", "optional": true }, { "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n", "name": "netrc", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.redhat.com/nudged-components": "gl-multi-component-child-rexo", "build.appstudio.redhat.com/nudging-commit": "db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/nudging-component": "gl-multi-component-parent-rexo", "build.appstudio.redhat.com/nudging-image": "quay.io/redhat-appstudio-qe/build-e2e-fnyl/gl-multi-component-parent-rexo:db262f1446e088880fcfd4b2e13afdcaae70ad85", "build.appstudio.redhat.com/nudging-pipeline": "gl-multi-component-parent-rexo-on-push-jsrmh", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-fnyl/results/a6a0e924-445d-4a9a-9b0f-8379fe6c3391/records/6cadbe6d-c5dd-46bd-84d2-911824f14f87", "results.tekton.dev/result": "build-e2e-fnyl/results/a6a0e924-445d-4a9a-9b0f-8379fe6c3391", "results.tekton.dev/stored": "true", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-988021a31c12c207c40436f8492c268a-4e0d0ad1c68b9bc4-01\"}" }, "creationTimestamp": "2026-05-11T11:41:00Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "build.appstudio.redhat.com/type": "nudge", "kueue.x-k8s.io/priority-class": "konflux-default", "kueue.x-k8s.io/queue-name": "pipelines-queue", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "renovate-pipeline-1778499660-994a3", "tekton.dev/pipelineRun": "renovate-pipeline-1778499660-994a3", "tekton.dev/pipelineRunUID": "a6a0e924-445d-4a9a-9b0f-8379fe6c3391", "tekton.dev/pipelineTask": "renovate" }, "name": "renovate-pipeline-1778499660-994a3-renovate", "namespace": "build-e2e-fnyl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "renovate-pipeline-1778499660-994a3", "uid": "a6a0e924-445d-4a9a-9b0f-8379fe6c3391" } ], "resourceVersion": "87734", "uid": "6cadbe6d-c5dd-46bd-84d2-911824f14f87" }, "spec": { "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gl-multi-component-parent-rexo", "taskSpec": { "steps": [ { "command": [ "bash", "-c", "RENOVATE_X_GITLAB_MERGE_REQUEST_DELAY=5000 RENOVATE_X_GITLAB_AUTO_MERGEABLE_CHECK_ATTEMPS=11 RENOVATE_PR_HOURLY_LIMIT=0 RENOVATE_PR_CONCURRENT_LIMIT=0 RENOVATE_TOKEN=$TOKEN_ad06b2a0de RENOVATE_CONFIG_FILE=/configs/gl-multi-component-child-rexo-61c64.json RENOVATE_HOST_RULES=\"[{'matchHost':'quay.io','username':'redhat-appstudio-qe+build_e2e_fnyl_gl_multi_component_parent_rexo_0e9461ddf3','password':'${TOKEN_16e6e2c6e5}'}]\" renovate" ], "computeResources": {}, "env": [ { "name": "LOG_LEVEL", "value": "debug" } ], "envFrom": [ { "prefix": "TOKEN_", "secretRef": { "name": "renovate-pipeline-1778499660-994a3" } } ], "image": "quay.io/konflux-ci/mintmaker-renovate-image:29a2f31", "name": "renovate", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsNonRoot": true, "seccompProfile": { "type": "RuntimeDefault" } }, "volumeMounts": [ { "mountPath": "/configs", "name": "renovate-pipeline-1778499660-994a3" }, { "mountPath": "/etc/pki/ca-trust/extracted/pem", "name": "trusted-ca", "readOnly": true } ] } ], "volumes": [ { "configMap": { "name": "renovate-pipeline-1778499660-994a3" }, "name": "renovate-pipeline-1778499660-994a3" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "tls-ca-bundle.pem" } ], "name": "renovate-ca-1778499660-994a3" }, "name": "trusted-ca" } ] }, "timeout": "2h0m0s" }, "status": { "completionTime": "2026-05-11T11:43:05Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:43:05Z", "message": "the step \"renovate\" in TaskRun \"renovate-pipeline-1778499660-994a3-renovate\" failed to pull the image \"\". The pod errored with the message: \"Back-off pulling image \"quay.io/konflux-ci/mintmaker-renovate-image:29a2f31\".\"", "reason": "TaskRunImagePullFailed", "status": "False", "type": "Succeeded" } ], "podName": "renovate-pipeline-1778499660-994a3-renovate-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" } }, "spanContext": { "traceparent": "00-988021a31c12c207c40436f8492c268a-4e0d0ad1c68b9bc4-01" }, "startTime": "2026-05-11T11:41:00Z", "steps": [ { "container": "step-renovate", "name": "renovate", "provenance": {}, "terminated": { "exitCode": 1, "finishedAt": "2026-05-11T11:43:05Z", "message": "Step renovate terminated as pod renovate-pipeline-1778499660-994a3-renovate-pod is terminated", "reason": "TaskRunImagePullFailed", "startedAt": "2026-05-11T11:41:00Z" }, "terminationReason": "TaskRunImagePullFailed" } ], "taskSpec": { "steps": [ { "command": [ "bash", "-c", "RENOVATE_X_GITLAB_MERGE_REQUEST_DELAY=5000 RENOVATE_X_GITLAB_AUTO_MERGEABLE_CHECK_ATTEMPS=11 RENOVATE_PR_HOURLY_LIMIT=0 RENOVATE_PR_CONCURRENT_LIMIT=0 RENOVATE_TOKEN=$TOKEN_ad06b2a0de RENOVATE_CONFIG_FILE=/configs/gl-multi-component-child-rexo-61c64.json RENOVATE_HOST_RULES=\"[{'matchHost':'quay.io','username':'redhat-appstudio-qe+build_e2e_fnyl_gl_multi_component_parent_rexo_0e9461ddf3','password':'${TOKEN_16e6e2c6e5}'}]\" renovate" ], "computeResources": {}, "env": [ { "name": "LOG_LEVEL", "value": "debug" } ], "envFrom": [ { "prefix": "TOKEN_", "secretRef": { "name": "renovate-pipeline-1778499660-994a3" } } ], "image": "quay.io/konflux-ci/mintmaker-renovate-image:29a2f31", "name": "renovate", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsNonRoot": true, "seccompProfile": { "type": "RuntimeDefault" } }, "volumeMounts": [ { "mountPath": "/configs", "name": "renovate-pipeline-1778499660-994a3" }, { "mountPath": "/etc/pki/ca-trust/extracted/pem", "name": "trusted-ca", "readOnly": true } ] } ], "volumes": [ { "configMap": { "name": "renovate-pipeline-1778499660-994a3" }, "name": "renovate-pipeline-1778499660-994a3" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "tls-ca-bundle.pem" } ], "name": "renovate-ca-1778499660-994a3" }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.redhat.com/nudged-components": "gh-multi-component-child-liaa", "build.appstudio.redhat.com/nudging-commit": "build-nudge-parent-ckkvzw?rev=2579a1f01ac7d3b9a66d0b3fa2f1e3db10761f69", "build.appstudio.redhat.com/nudging-component": "gh-multi-component-parent-liaa", "build.appstudio.redhat.com/nudging-image": "quay.io/redhat-appstudio-qe/build-e2e-nozz/gh-multi-component-parent-liaa:2579a1f01ac7d3b9a66d0b3fa2f1e3db10761f69", "build.appstudio.redhat.com/nudging-pipeline": "gh-multi-component-parent-liaa-on-push-glff4", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-nozz/results/169ed96f-a9a0-47fb-8748-83611899d356/records/a7a910ea-7b3e-40f5-9a7f-7c0698eee888", "results.tekton.dev/result": "build-e2e-nozz/results/169ed96f-a9a0-47fb-8748-83611899d356", "results.tekton.dev/stored": "true", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-b11c6b78636927dced6b3b81665c4b35-666825cb4bcec0be-01\"}" }, "creationTimestamp": "2026-05-11T11:48:52Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "build.appstudio.redhat.com/type": "nudge", "kueue.x-k8s.io/priority-class": "konflux-default", "kueue.x-k8s.io/queue-name": "pipelines-queue", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "renovate-pipeline-1778500132-462be", "tekton.dev/pipelineRun": "renovate-pipeline-1778500132-462be", "tekton.dev/pipelineRunUID": "169ed96f-a9a0-47fb-8748-83611899d356", "tekton.dev/pipelineTask": "renovate" }, "name": "renovate-pipeline-1778500132-462be-renovate", "namespace": "build-e2e-nozz", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "renovate-pipeline-1778500132-462be", "uid": "169ed96f-a9a0-47fb-8748-83611899d356" } ], "resourceVersion": "97875", "uid": "a7a910ea-7b3e-40f5-9a7f-7c0698eee888" }, "spec": { "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-gh-multi-component-parent-liaa", "taskSpec": { "steps": [ { "command": [ "bash", "-c", "RENOVATE_X_GITLAB_MERGE_REQUEST_DELAY=5000 RENOVATE_X_GITLAB_AUTO_MERGEABLE_CHECK_ATTEMPS=11 RENOVATE_PR_HOURLY_LIMIT=0 RENOVATE_PR_CONCURRENT_LIMIT=0 RENOVATE_TOKEN=$TOKEN_7660fe2c32 RENOVATE_CONFIG_FILE=/configs/gh-multi-component-child-liaa-39df4.json RENOVATE_HOST_RULES=\"[{'matchHost':'quay.io','username':'redhat-appstudio-qe+build_e2e_nozz_gh_multi_component_parent_liaa_63904221f7','password':'${TOKEN_745f04168f}'}]\" renovate" ], "computeResources": {}, "env": [ { "name": "LOG_LEVEL", "value": "debug" } ], "envFrom": [ { "prefix": "TOKEN_", "secretRef": { "name": "renovate-pipeline-1778500132-462be" } } ], "image": "quay.io/konflux-ci/mintmaker-renovate-image:29a2f31", "name": "renovate", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsNonRoot": true, "seccompProfile": { "type": "RuntimeDefault" } }, "volumeMounts": [ { "mountPath": "/configs", "name": "renovate-pipeline-1778500132-462be" }, { "mountPath": "/etc/pki/ca-trust/extracted/pem", "name": "trusted-ca", "readOnly": true } ] } ], "volumes": [ { "configMap": { "name": "renovate-pipeline-1778500132-462be" }, "name": "renovate-pipeline-1778500132-462be" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "tls-ca-bundle.pem" } ], "name": "renovate-ca-1778500132-462be" }, "name": "trusted-ca" } ] }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:49:06Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:49:06Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "renovate-pipeline-1778500132-462be-renovate-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" } }, "spanContext": { "traceparent": "00-b11c6b78636927dced6b3b81665c4b35-666825cb4bcec0be-01" }, "startTime": "2026-05-11T11:48:52Z", "steps": [ { "container": "step-renovate", "imageID": "quay.io/konflux-ci/mintmaker-renovate-image@sha256:67d26b20533790565a2949a3f732d595dda9378fea506f1cba88ca17cef13873", "name": "renovate", "provenance": {}, "terminated": { "containerID": "cri-o://767ad6bf8544d8e00f99e1cab261d8a2c653473605511537fcf27ba29c7b3e90", "exitCode": 0, "finishedAt": "2026-05-11T11:49:06Z", "reason": "Completed", "startedAt": "2026-05-11T11:48:56Z" }, "terminationReason": "Completed" } ], "taskSpec": { "steps": [ { "command": [ "bash", "-c", "RENOVATE_X_GITLAB_MERGE_REQUEST_DELAY=5000 RENOVATE_X_GITLAB_AUTO_MERGEABLE_CHECK_ATTEMPS=11 RENOVATE_PR_HOURLY_LIMIT=0 RENOVATE_PR_CONCURRENT_LIMIT=0 RENOVATE_TOKEN=$TOKEN_7660fe2c32 RENOVATE_CONFIG_FILE=/configs/gh-multi-component-child-liaa-39df4.json RENOVATE_HOST_RULES=\"[{'matchHost':'quay.io','username':'redhat-appstudio-qe+build_e2e_nozz_gh_multi_component_parent_liaa_63904221f7','password':'${TOKEN_745f04168f}'}]\" renovate" ], "computeResources": {}, "env": [ { "name": "LOG_LEVEL", "value": "debug" } ], "envFrom": [ { "prefix": "TOKEN_", "secretRef": { "name": "renovate-pipeline-1778500132-462be" } } ], "image": "quay.io/konflux-ci/mintmaker-renovate-image:29a2f31", "name": "renovate", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsNonRoot": true, "seccompProfile": { "type": "RuntimeDefault" } }, "volumeMounts": [ { "mountPath": "/configs", "name": "renovate-pipeline-1778500132-462be" }, { "mountPath": "/etc/pki/ca-trust/extracted/pem", "name": "trusted-ca", "readOnly": true } ] } ], "volumes": [ { "configMap": { "name": "renovate-pipeline-1778500132-462be" }, "name": "renovate-pipeline-1778500132-462be" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "tls-ca-bundle.pem" } ], "name": "renovate-ca-1778500132-462be" }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/sample-multi-component?rev=f1212a3aa944f5c7c78984a889786dd02eb733e5", "build.appstudio.redhat.com/commit_sha": "f1212a3aa944f5c7c78984a889786dd02eb733e5", "build.appstudio.redhat.com/pull_request_number": "33158", "build.appstudio.redhat.com/target_branch": "multi-component-base-qpbqgb", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "multi-component-base-qpbqgb", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75348983540", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-atkcka", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-rggz/tekton.dev~v1~PipelineRun/go-component-gwgfsj-on-pull-request-vtkf6", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-base-qpbqgb\" \u0026\u0026 ( \"go-component/***\".pathChanged() || \".tekton/go-component-gwgfsj-pull-request.yaml\".pathChanged() )", "pipelinesascode.tekton.dev/original-prname": "go-component-gwgfsj-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "33158", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component", "pipelinesascode.tekton.dev/repository": "go-component-gwgfsj", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2", "pipelinesascode.tekton.dev/sha": "f1212a3aa944f5c7c78984a889786dd02eb733e5", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/sample-multi-component/commit/f1212a3aa944f5c7c78984a889786dd02eb733e5", "pipelinesascode.tekton.dev/source-branch": "pr-branch-vsadiq", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "sample-multi-component", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-rggz/results/fcffe34c-2391-402a-aeaa-d2a3ecf15b58/records/4e836c6c-1100-4d50-b0fa-f36ecf6da2a7", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"sample-multi-component\",\"commit\":\"f1212a3aa944f5c7c78984a889786dd02eb733e5\",\"eventType\":\"pull_request\",\"pull_request-id\":33158}", "results.tekton.dev/result": "build-e2e-rggz/results/fcffe34c-2391-402a-aeaa-d2a3ecf15b58", "results.tekton.dev/stored": "true", "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone oci trusted artifacts", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-919d6af15d50b175e0436b14202d827c-25c7b6a202e8d906-01\"}", "test.appstudio.openshift.io/pr-group": "pr-branch-vsadiq" }, "creationTimestamp": "2026-05-11T12:04:53Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-05-11T12:05:15Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "build-suite-positive-mc-ygmw", "appstudio.openshift.io/component": "go-component-gwgfsj", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75348983540", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "go-component-gwgfsj-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "33158", "pipelinesascode.tekton.dev/repository": "go-component-gwgfsj", "pipelinesascode.tekton.dev/sha": "f1212a3aa944f5c7c78984a889786dd02eb733e5", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "sample-multi-component", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "go-component-gwgfsj-on-pull-request-vtkf6", "tekton.dev/pipelineRun": "go-component-gwgfsj-on-pull-request-vtkf6", "tekton.dev/pipelineRunUID": "fcffe34c-2391-402a-aeaa-d2a3ecf15b58", "tekton.dev/pipelineTask": "clone-repository", "tekton.dev/task": "git-clone-oci-ta-min", "test.appstudio.openshift.io/pr-group-sha": "0490d2930538339c7ade2b9b7062f702545dfd5199fab1ce51997ef6631d02" }, "name": "go-component-gwgfsj-on-pull-request-vtkf6-clone-repository", "namespace": "build-e2e-rggz", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "go-component-gwgfsj-on-pull-request-vtkf6", "uid": "fcffe34c-2391-402a-aeaa-d2a3ecf15b58" } ], "resourceVersion": "115017", "uid": "4e836c6c-1100-4d50-b0fa-f36ecf6da2a7" }, "spec": { "params": [ { "name": "url", "value": "https://github.com/redhat-appstudio-qe/sample-multi-component" }, { "name": "revision", "value": "f1212a3aa944f5c7c78984a889786dd02eb733e5" }, { "name": "ociStorage", "value": "quay.io/redhat-appstudio-qe/build-e2e-rggz/go-component-gwgfsj:on-pr-f1212a3aa944f5c7c78984a889786dd02eb733e5.git" }, { "name": "ociArtifactExpiresAfter", "value": "6h" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-go-component-gwgfsj", "taskRef": { "params": [ { "name": "name", "value": "git-clone-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min:0.1@sha256:ad1487d03967da7e9e032ba47b094ebf7e46c8e6f5d47faa9f8c15e1617fb208" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "basic-auth", "secret": { "secretName": "pac-gitauth-atkcka" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T12:05:02Z", "conditions": [ { "lastTransitionTime": "2026-05-11T12:05:02Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "go-component-gwgfsj-on-pull-request-vtkf6-clone-repository-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "ad1487d03967da7e9e032ba47b094ebf7e46c8e6f5d47faa9f8c15e1617fb208" }, "entryPoint": "git-clone-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min" } }, "results": [ { "name": "CHAINS-GIT_COMMIT", "type": "string", "value": "f1212a3aa944f5c7c78984a889786dd02eb733e5" }, { "name": "CHAINS-GIT_URL", "type": "string", "value": "https://github.com/redhat-appstudio-qe/sample-multi-component" }, { "name": "commit", "type": "string", "value": "f1212a3aa944f5c7c78984a889786dd02eb733e5" }, { "name": "commit-timestamp", "type": "string", "value": "1778501079" }, { "name": "short-commit", "type": "string", "value": "f1212a3" }, { "name": "url", "type": "string", "value": "https://github.com/redhat-appstudio-qe/sample-multi-component" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-rggz/go-component-gwgfsj@sha256:b1892e171829c83a5226b89b57862ed448fe15c2cdad0da95b525386779e8e91" } ], "spanContext": { "traceparent": "00-919d6af15d50b175e0436b14202d827c-25c7b6a202e8d906-01" }, "startTime": "2026-05-11T12:04:53Z", "steps": [ { "container": "step-clone", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "provenance": {}, "terminated": { "containerID": "cri-o://e157a5f75a4e16da7d07f2727fabf7f98d64e5ac2e2e69ad8697f62b6090a933", "exitCode": 0, "finishedAt": "2026-05-11T12:04:59Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"f1212a3aa944f5c7c78984a889786dd02eb733e5\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/sample-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"f1212a3aa944f5c7c78984a889786dd02eb733e5\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778501079\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"f1212a3\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/sample-multi-component\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T12:04:59Z" }, "terminationReason": "Completed" }, { "container": "step-symlink-check", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "provenance": {}, "terminated": { "containerID": "cri-o://139f9b83cfea2d1a24bb37743ab6d5b25506919e15422224cccc34d5fbe490a4", "exitCode": 0, "finishedAt": "2026-05-11T12:05:00Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"f1212a3aa944f5c7c78984a889786dd02eb733e5\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/sample-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"f1212a3aa944f5c7c78984a889786dd02eb733e5\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778501079\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"f1212a3\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/sample-multi-component\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T12:05:00Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "create-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://120753e91b6b49ed86f36144401a98ac198e78165a66d1c12f6e355c165601c6", "exitCode": 0, "finishedAt": "2026-05-11T12:05:01Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"f1212a3aa944f5c7c78984a889786dd02eb733e5\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/sample-multi-component\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-rggz/go-component-gwgfsj@sha256:b1892e171829c83a5226b89b57862ed448fe15c2cdad0da95b525386779e8e91\",\"type\":1},{\"key\":\"commit\",\"value\":\"f1212a3aa944f5c7c78984a889786dd02eb733e5\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778501079\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"f1212a3\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/sample-multi-component\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T12:05:00Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted artifact in the provided OCI repository.", "params": [ { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" } ], "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "PARAM_URL", "value": "https://github.com/redhat-appstudio-qe/sample-multi-component" }, { "name": "PARAM_REVISION", "value": "f1212a3aa944f5c7c78984a889786dd02eb733e5" }, { "name": "PARAM_REFSPEC" }, { "name": "PARAM_SUBMODULES", "value": "true" }, { "name": "PARAM_SUBMODULE_PATHS" }, { "name": "PARAM_DEPTH", "value": "1" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "7" }, { "name": "PARAM_SSL_VERIFY", "value": "true" }, { "name": "PARAM_HTTP_PROXY" }, { "name": "PARAM_HTTPS_PROXY" }, { "name": "PARAM_NO_PROXY" }, { "name": "PARAM_VERBOSE", "value": "false" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES" }, { "name": "PARAM_USER_HOME", "value": "/tekton/home" }, { "name": "PARAM_FETCH_TAGS", "value": "false" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "false" }, { "name": "PARAM_TARGET_BRANCH", "value": "main" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL" }, { "name": "PARAM_MERGE_SOURCE_DEPTH" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "false" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "true" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH", "value": "/workspace/basic-auth" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ]; then\n set -x\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ]; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e\"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e\"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ]; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n\n if ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit 1\n fi\n\n # Check if there are changes staged for commit\n if git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\n else\n echo \"Merge successful (no conflicts found), committing...\"\n if ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit 1\n fi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e\"/tekton/results/merged_sha\"\n fi\n\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e\"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e\"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ]; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "true" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink; do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ]; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ]; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "args": [ "create", "--store", "quay.io/redhat-appstudio-qe/build-e2e-rggz/go-component-gwgfsj:on-pr-f1212a3aa944f5c7c78984a889786dd02eb733e5.git", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "6h" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "create-trusted-artifact", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/commit_sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/pull_request_number": "17932", "build.appstudio.redhat.com/target_branch": "base-rqwphu", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-rqwphu", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vnfmfm", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-tysh-on-pull-request-qnq59", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-rqwphu\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-tysh", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0/records/2ea0a9f0-ab3d-4b9f-b90e-f82f519b9446", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"eventType\":\"pull_request\",\"pull_request-id\":17932}", "results.tekton.dev/result": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-cbe2bf1d305616ad79b6eca3050d39ba-3bc93c049992e49c-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-tysh" }, "creationTimestamp": "2026-05-11T11:37:47Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-tysh", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRun": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRunUID": "51c2e613-7606-4a23-9e56-3207357407f0", "tekton.dev/pipelineTask": "deprecated-base-image-check", "tekton.dev/task": "deprecated-image-check", "test.appstudio.openshift.io/pr-group-sha": "9c95f35c5b734d70efd44adee99d3f6e912938a10e4b7e02acafdcbba95ebf" }, "name": "tes46e1a31bd24ca83d69b81b54a0c7cf7c-deprecated-base-image-check", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-tysh-on-pull-request-qnq59", "uid": "51c2e613-7606-4a23-9e56-3207357407f0" } ], "resourceVersion": "79726", "uid": "2ea0a9f0-ab3d-4b9f-b90e-f82f519b9446" }, "spec": { "params": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "IMAGE_DIGEST", "value": "sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-tysh", "taskRef": { "params": [ { "name": "name", "value": "deprecated-image-check" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:38:06Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:38:06Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tes46e1a31bd24ca83d69b81b546e599e382364e29f65e1208d51bbd420-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, "entryPoint": "deprecated-image-check", "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\", \"digests\": [\"sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"WARNING\",\"timestamp\":\"2026-05-11T11:38:06+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":0,\"failures\":0,\"warnings\":1}\n" } ], "spanContext": { "traceparent": "00-cbe2bf1d305616ad79b6eca3050d39ba-3bc93c049992e49c-01" }, "startTime": "2026-05-11T11:37:47Z", "steps": [ { "container": "step-check-images", "imageID": "quay.io/konflux-ci/konflux-test@sha256:3bba1fe5ad96bd3811f34b367487192683aa9b1ba343da4885dda565b0a7207e", "name": "check-images", "provenance": {}, "terminated": { "containerID": "cri-o://a788bfb4abdfb57a3ec9ef75a5877a13c4464a023c4abb46d54051025318d057", "exitCode": 0, "finishedAt": "2026-05-11T11:38:06Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\\\", \\\"digests\\\": [\\\"sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"WARNING\\\",\\\"timestamp\\\":\\\"2026-05-11T11:38:06+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":1}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:37:52Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.", "params": [ { "default": "/project/repository/", "description": "Path to directory containing Conftest policies.", "name": "POLICY_DIR", "type": "string" }, { "default": "required_checks", "description": "Namespace for Conftest policy.", "name": "POLICY_NAMESPACE", "type": "string" }, { "default": "", "description": "Digests of base build images.", "name": "BASE_IMAGES_DIGESTS", "type": "string" }, { "description": "Fully qualified image name.", "name": "IMAGE_URL", "type": "string" }, { "description": "Image digest.", "name": "IMAGE_DIGEST", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "POLICY_DIR", "value": "/project/repository/" }, { "name": "POLICY_NAMESPACE", "value": "required_checks" }, { "name": "BASE_IMAGES_DIGESTS" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "IMAGE_DIGEST", "value": "sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9", "name": "check-images", "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n while read -r arch arch_sha; do\n SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n # Get base images from SBOM\n cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n if [ $? -ne 0 ]; then\n echo \"Unable to download sbom for arch $arch.\"\n continue\n fi\n\n \u003c \"${SBOM_FILE_PATH}\" jq -r '\n if .bomFormat == \"CycloneDX\" then\n .formulation[]?\n | .components[]?\n | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n | (\n .purl\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n else\n .packages[]\n | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n | (\n $purls | first\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n end\n ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"Detected base images from $arch SBOM:\"\n cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"\"\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n # Get images from the parameter\n for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n do\n echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n mkdir -p ${IMAGE_REPO_PATH}\n echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n if [ \"$http_code\" == \"200\" ];\n then\n echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${failures_num}\" -gt 0 ]]; then\n echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n fi\n failure_counter=$((failure_counter+failures_num))\n\n successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${successes_num}\" -gt 0 ]]; then\n echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n fi\n success_counter=$((success_counter+successes_num))\n\n elif [ \"$http_code\" == \"404\" ];\n then\n echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n warnings_counter=$((warnings_counter+1))\n else\n echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n error_counter=$((error_counter+1))\n fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n if [[ \"${failure_counter}\" -gt 0 ]]; then\n RES=\"FAILURE\"\n elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n RES=\"WARNING\"\n elif [[ \"${success_counter}\" -eq 0 ]]; then\n # when all counters are 0, there are no base images to check\n note=\"Task deprecated-image-check success: No base images to check.\"\n RES=\"SUCCESS\"\n else\n RES=\"SUCCESS\"\n fi\n TEST_OUTPUT=$(make_result_json \\\n -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/commit_sha": "eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/pull_request_number": "17933", "build.appstudio.redhat.com/target_branch": "base-nodxgh", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-nodxgh", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-mkytum", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-uhww-on-pull-request-r266g", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-nodxgh\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-uhww", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-uhww", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa/records/6d2c6f67-e1a8-488d-8506-ab5eb213fc40", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"eda963b758b539b162a95f37d86f0199680d7d45\",\"eventType\":\"pull_request\",\"pull_request-id\":17933}", "results.tekton.dev/result": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-016db769a7e9d2dde692c6510a9a4d08-6892a0d134c69f86-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-uhww" }, "creationTimestamp": "2026-05-11T11:29:06Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-uhww", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRun": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRunUID": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "tekton.dev/pipelineTask": "deprecated-base-image-check", "tekton.dev/task": "deprecated-image-check", "test.appstudio.openshift.io/pr-group-sha": "544aed5c3d6ec0cad12073e9312457b53d6e23773decd8391e702c63ae1d69" }, "name": "tes608347ca44be39e8319879d178ce5661-deprecated-base-image-check", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-uhww-on-pull-request-r266g", "uid": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa" } ], "resourceVersion": "64074", "uid": "6d2c6f67-e1a8-488d-8506-ab5eb213fc40" }, "spec": { "params": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "IMAGE_DIGEST", "value": "sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-uhww", "taskRef": { "params": [ { "name": "name", "value": "deprecated-image-check" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "completionTime": "2026-05-11T11:29:50Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:29:50Z", "message": "the step \"check-images\" in TaskRun \"tes608347ca44be39e8319879d178ce5661-deprecated-base-image-check\" failed to pull the image \"\". The pod errored with the message: \"Back-off pulling image \"quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9\".\"", "reason": "TaskRunImagePullFailed", "status": "False", "type": "Succeeded" } ], "podName": "tes608347ca44be39e8319879d1010be835ef161511c67e60241dc59fd2-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, "entryPoint": "deprecated-image-check", "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check" } }, "spanContext": { "traceparent": "00-016db769a7e9d2dde692c6510a9a4d08-6892a0d134c69f86-01" }, "startTime": "2026-05-11T11:29:06Z", "steps": [ { "container": "step-check-images", "name": "check-images", "provenance": {}, "terminated": { "exitCode": 1, "finishedAt": "2026-05-11T11:29:50Z", "message": "Step check-images terminated as pod tes608347ca44be39e8319879d1010be835ef161511c67e60241dc59fd2-pod is terminated", "reason": "TaskRunImagePullFailed", "startedAt": "2026-05-11T11:29:06Z" }, "terminationReason": "TaskRunImagePullFailed" } ], "taskSpec": { "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.", "params": [ { "default": "/project/repository/", "description": "Path to directory containing Conftest policies.", "name": "POLICY_DIR", "type": "string" }, { "default": "required_checks", "description": "Namespace for Conftest policy.", "name": "POLICY_NAMESPACE", "type": "string" }, { "default": "", "description": "Digests of base build images.", "name": "BASE_IMAGES_DIGESTS", "type": "string" }, { "description": "Fully qualified image name.", "name": "IMAGE_URL", "type": "string" }, { "description": "Image digest.", "name": "IMAGE_DIGEST", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "POLICY_DIR", "value": "/project/repository/" }, { "name": "POLICY_NAMESPACE", "value": "required_checks" }, { "name": "BASE_IMAGES_DIGESTS" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "IMAGE_DIGEST", "value": "sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9", "name": "check-images", "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n while read -r arch arch_sha; do\n SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n # Get base images from SBOM\n cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n if [ $? -ne 0 ]; then\n echo \"Unable to download sbom for arch $arch.\"\n continue\n fi\n\n \u003c \"${SBOM_FILE_PATH}\" jq -r '\n if .bomFormat == \"CycloneDX\" then\n .formulation[]?\n | .components[]?\n | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n | (\n .purl\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n else\n .packages[]\n | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n | (\n $purls | first\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n end\n ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"Detected base images from $arch SBOM:\"\n cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"\"\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n # Get images from the parameter\n for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n do\n echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n mkdir -p ${IMAGE_REPO_PATH}\n echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n if [ \"$http_code\" == \"200\" ];\n then\n echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${failures_num}\" -gt 0 ]]; then\n echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n fi\n failure_counter=$((failure_counter+failures_num))\n\n successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${successes_num}\" -gt 0 ]]; then\n echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n fi\n success_counter=$((success_counter+successes_num))\n\n elif [ \"$http_code\" == \"404\" ];\n then\n echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n warnings_counter=$((warnings_counter+1))\n else\n echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n error_counter=$((error_counter+1))\n fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n if [[ \"${failure_counter}\" -gt 0 ]]; then\n RES=\"FAILURE\"\n elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n RES=\"WARNING\"\n elif [[ \"${success_counter}\" -eq 0 ]]; then\n # when all counters are 0, there are no base images to check\n note=\"Task deprecated-image-check success: No base images to check.\"\n RES=\"SUCCESS\"\n else\n RES=\"SUCCESS\"\n fi\n TEST_OUTPUT=$(make_result_json \\\n -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=726ac6730c64bbf5a897e6018d22fa511feb646c", "build.appstudio.redhat.com/commit_sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "build.appstudio.redhat.com/pull_request_number": "17935", "build.appstudio.redhat.com/target_branch": "base-jqeskk", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-jqeskk", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343013006", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gkzwzl", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-umju-on-pull-request-fdxtg", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-jqeskk\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-umju-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17935", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-umju", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-umju", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/356257ba-6777-460b-bb97-7aa67bd2b5c6/records/f983b440-0de9-4c42-848d-e3d68f5e8d4f", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"726ac6730c64bbf5a897e6018d22fa511feb646c\",\"eventType\":\"pull_request\",\"pull_request-id\":17935}", "results.tekton.dev/result": "build-e2e-tkrv/results/356257ba-6777-460b-bb97-7aa67bd2b5c6", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-b6b0985f4450c2d8c0ca8a3405879fe9-126673b9ef0be67e-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-umju" }, "creationTimestamp": "2026-05-11T11:34:17Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-umju", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343013006", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-umju-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17935", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-umju-on-pull-request-fdxtg", "tekton.dev/pipelineRun": "test-comp-umju-on-pull-request-fdxtg", "tekton.dev/pipelineRunUID": "356257ba-6777-460b-bb97-7aa67bd2b5c6", "tekton.dev/pipelineTask": "deprecated-base-image-check", "tekton.dev/task": "deprecated-image-check", "test.appstudio.openshift.io/pr-group-sha": "98b93584a705e99e4d5b22287ceb032d175a28eb7be23d448a2d5fccc04ea5" }, "name": "tes62e20cdd010b5d62afeff781e4a996ce-deprecated-base-image-check", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-umju-on-pull-request-fdxtg", "uid": "356257ba-6777-460b-bb97-7aa67bd2b5c6" } ], "resourceVersion": "71450", "uid": "f983b440-0de9-4c42-848d-e3d68f5e8d4f" }, "spec": { "params": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c" }, { "name": "IMAGE_DIGEST", "value": "sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-umju", "taskRef": { "params": [ { "name": "name", "value": "deprecated-image-check" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:34:27Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:34:27Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tes62e20cdd010b5d62afeff7815c9f28c6ab25c349e16dbe4121a3fd56-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, "entryPoint": "deprecated-image-check", "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c\", \"digests\": [\"sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"WARNING\",\"timestamp\":\"2026-05-11T11:34:27+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":0,\"failures\":0,\"warnings\":1}\n" } ], "spanContext": { "traceparent": "00-b6b0985f4450c2d8c0ca8a3405879fe9-126673b9ef0be67e-01" }, "startTime": "2026-05-11T11:34:17Z", "steps": [ { "container": "step-check-images", "imageID": "quay.io/konflux-ci/konflux-test@sha256:3bba1fe5ad96bd3811f34b367487192683aa9b1ba343da4885dda565b0a7207e", "name": "check-images", "provenance": {}, "terminated": { "containerID": "cri-o://3514aba9e8646da765c44ac82654c009495017d534dfae4391dcd2e91d5f4cd7", "exitCode": 0, "finishedAt": "2026-05-11T11:34:27Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c\\\", \\\"digests\\\": [\\\"sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"WARNING\\\",\\\"timestamp\\\":\\\"2026-05-11T11:34:27+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":1}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:34:22Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.", "params": [ { "default": "/project/repository/", "description": "Path to directory containing Conftest policies.", "name": "POLICY_DIR", "type": "string" }, { "default": "required_checks", "description": "Namespace for Conftest policy.", "name": "POLICY_NAMESPACE", "type": "string" }, { "default": "", "description": "Digests of base build images.", "name": "BASE_IMAGES_DIGESTS", "type": "string" }, { "description": "Fully qualified image name.", "name": "IMAGE_URL", "type": "string" }, { "description": "Image digest.", "name": "IMAGE_DIGEST", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "POLICY_DIR", "value": "/project/repository/" }, { "name": "POLICY_NAMESPACE", "value": "required_checks" }, { "name": "BASE_IMAGES_DIGESTS" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c" }, { "name": "IMAGE_DIGEST", "value": "sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9", "name": "check-images", "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n while read -r arch arch_sha; do\n SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n # Get base images from SBOM\n cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n if [ $? -ne 0 ]; then\n echo \"Unable to download sbom for arch $arch.\"\n continue\n fi\n\n \u003c \"${SBOM_FILE_PATH}\" jq -r '\n if .bomFormat == \"CycloneDX\" then\n .formulation[]?\n | .components[]?\n | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n | (\n .purl\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n else\n .packages[]\n | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n | (\n $purls | first\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n end\n ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"Detected base images from $arch SBOM:\"\n cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"\"\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n # Get images from the parameter\n for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n do\n echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n mkdir -p ${IMAGE_REPO_PATH}\n echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n if [ \"$http_code\" == \"200\" ];\n then\n echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${failures_num}\" -gt 0 ]]; then\n echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n fi\n failure_counter=$((failure_counter+failures_num))\n\n successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${successes_num}\" -gt 0 ]]; then\n echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n fi\n success_counter=$((success_counter+successes_num))\n\n elif [ \"$http_code\" == \"404\" ];\n then\n echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n warnings_counter=$((warnings_counter+1))\n else\n echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n error_counter=$((error_counter+1))\n fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n if [[ \"${failure_counter}\" -gt 0 ]]; then\n RES=\"FAILURE\"\n elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n RES=\"WARNING\"\n elif [[ \"${success_counter}\" -eq 0 ]]; then\n # when all counters are 0, there are no base images to check\n note=\"Task deprecated-image-check success: No base images to check.\"\n RES=\"SUCCESS\"\n else\n RES=\"SUCCESS\"\n fi\n TEST_OUTPUT=$(make_result_json \\\n -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/commit_sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/pull_request_number": "17932", "build.appstudio.redhat.com/target_branch": "base-rqwphu", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-rqwphu", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vnfmfm", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-tysh-on-pull-request-qnq59", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-rqwphu\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-tysh", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0/records/053420f5-f9fc-4dfb-90f9-1a75bb4ae532", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"eventType\":\"pull_request\",\"pull_request-id\":17932}", "results.tekton.dev/result": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0", "results.tekton.dev/stored": "true", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-cbe2bf1d305616ad79b6eca3050d39ba-1097f005c6fda31c-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-tysh" }, "creationTimestamp": "2026-05-11T11:37:47Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-tysh", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRun": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRunUID": "51c2e613-7606-4a23-9e56-3207357407f0", "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks", "tekton.dev/task": "ecosystem-cert-preflight-checks", "test.appstudio.openshift.io/pr-group-sha": "9c95f35c5b734d70efd44adee99d3f6e912938a10e4b7e02acafdcbba95ebf" }, "name": "test-comp-tysh-on-pull-request-9ea72b07f0b832e903f07451e1028d7b", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-tysh-on-pull-request-qnq59", "uid": "51c2e613-7606-4a23-9e56-3207357407f0" } ], "resourceVersion": "79686", "uid": "053420f5-f9fc-4dfb-90f9-1a75bb4ae532" }, "spec": { "params": [ { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-tysh", "taskRef": { "params": [ { "name": "name", "value": "ecosystem-cert-preflight-checks" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:e2bcf1174a6dae9969b8f12e94babe2a5881bc77a509f10823b6a9eac6392850" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:38:04Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:38:04Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-tysh-on-pull-requ7ff82aa5feca815acdafc6f986a2c3f8-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "e2bcf1174a6dae9969b8f12e94babe2a5881bc77a509f10823b6a9eac6392850" }, "entryPoint": "ecosystem-cert-preflight-checks", "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks" } }, "results": [ { "name": "ARTIFACT_TYPE", "type": "string", "value": "application" }, { "name": "ARTIFACT_TYPE_SET_BY", "type": "string", "value": "introspection" }, { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\", \"digests\": [\"sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\"]}}" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"ERROR\",\"timestamp\":\"1778499482\",\"note\":\"Task preflight is a ERROR: Refer to Tekton task logs for more information\",\"successes\":3,\"failures\":4,\"warnings\":0}" } ], "spanContext": { "traceparent": "00-cbe2bf1d305616ad79b6eca3050d39ba-1097f005c6fda31c-01" }, "startTime": "2026-05-11T11:37:47Z", "steps": [ { "container": "step-introspect", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "introspect", "provenance": {}, "results": [ { "name": "artifact-type", "type": "string", "value": "application" }, { "name": "artifact-type-set-by", "type": "string", "value": "introspection" } ], "terminated": { "containerID": "cri-o://66bc0b748d82941b876832f8d212ae41e0893c7ea722903457f46384a0c3c73e", "exitCode": 0, "finishedAt": "2026-05-11T11:37:54Z", "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]", "reason": "Completed", "startedAt": "2026-05-11T11:37:53Z" }, "terminationReason": "Completed" }, { "container": "step-generate-container-auth", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "generate-container-auth", "provenance": {}, "results": [ { "name": "auth-json-path", "type": "string", "value": "/auth/auth.json" } ], "terminated": { "containerID": "cri-o://66264064ed9886cb6d152f7ad433a7c93412790c82e341c91a7001450f4cbac6", "exitCode": 0, "finishedAt": "2026-05-11T11:37:54Z", "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]", "reason": "Completed", "startedAt": "2026-05-11T11:37:54Z" }, "terminationReason": "Completed" }, { "container": "step-set-skip-for-bundles", "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:557d6789136c2fe8d64303d1524453f06040f548f4fcabe6404366751c575064", "name": "set-skip-for-bundles", "provenance": {}, "terminated": { "containerID": "cri-o://8e1b711eedbbe7c38a49ba4373ba51f7395190126422d65ad6e5b55bc3217f9b", "exitCode": 0, "finishedAt": "2026-05-11T11:37:54Z", "reason": "Completed", "startedAt": "2026-05-11T11:37:54Z" }, "terminationReason": "Skipped" }, { "container": "step-app-check", "imageID": "quay.io/opdev/preflight@sha256:2f9816292f4dec166c03d913d7e8b9673f9313bc5220a5b82efb0923b81095b1", "name": "app-check", "provenance": {}, "terminated": { "containerID": "cri-o://a535620340ba894a632d33aef8a9d452fc66a406f637d3aa68f29dbe2d3e5d48", "exitCode": 0, "finishedAt": "2026-05-11T11:38:02Z", "reason": "Completed", "startedAt": "2026-05-11T11:37:54Z" }, "terminationReason": "Completed" }, { "container": "step-app-set-outcome", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "app-set-outcome", "provenance": {}, "results": [ { "name": "images-processed", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\", \"digests\": [\"sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\"]}}" }, { "name": "test-output", "type": "string", "value": "{\"result\":\"ERROR\",\"timestamp\":\"1778499482\",\"note\":\"Task preflight is a ERROR: Refer to Tekton task logs for more information\",\"successes\":3,\"failures\":4,\"warnings\":0}" } ], "terminated": { "containerID": "cri-o://bcdd89bcd02bdec68df3e5a2f3de7118de86e636cbf2f8c3a6a56d64ae04f951", "exitCode": 0, "finishedAt": "2026-05-11T11:38:03Z", "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\\\", \\\"digests\\\": [\\\"sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"ERROR\\\",\\\"timestamp\\\":\\\"1778499482\\\",\\\"note\\\":\\\"Task preflight is a ERROR: Refer to Tekton task logs for more information\\\",\\\"successes\\\":3,\\\"failures\\\":4,\\\"warnings\\\":0}\",\"type\":4}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:02Z" }, "terminationReason": "Completed" }, { "container": "step-final-outcome", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "final-outcome", "provenance": {}, "results": [ { "name": "test-output", "type": "string", "value": "{\"result\":\"ERROR\",\"timestamp\":\"1778499482\",\"note\":\"Task preflight is a ERROR: Refer to Tekton task logs for more information\",\"successes\":3,\"failures\":4,\"warnings\":0}" } ], "terminated": { "containerID": "cri-o://b8aeb38d6b0c08a950c309f1971eab446b8f51cfeb232273438d649595250832", "exitCode": 0, "finishedAt": "2026-05-11T11:38:04Z", "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"ERROR\\\",\\\"timestamp\\\":\\\"1778499482\\\",\\\"note\\\":\\\"Task preflight is a ERROR: Refer to Tekton task logs for more information\\\",\\\"successes\\\":3,\\\"failures\\\":4,\\\"warnings\\\":0}\",\"type\":4}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:04Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.", "params": [ { "description": "Image url to scan.", "name": "image-url", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "introspect", "description": "The type of artifact. Select from application, operatorbundle, or introspect.", "name": "artifact-type", "type": "string" }, { "default": "", "description": "The platform the image is built on.", "name": "platform", "type": "string" } ], "results": [ { "description": "Ecosystem checks pass or fail outcome.", "name": "TEST_OUTPUT", "type": "string", "value": "$(steps.final-outcome.results.test-output)" }, { "description": "The artifact type, either introspected or set.", "name": "ARTIFACT_TYPE", "type": "string", "value": "$(steps.introspect.results.artifact-type)" }, { "description": "How the artifact type was set.", "name": "ARTIFACT_TYPE_SET_BY", "type": "string", "value": "$(steps.introspect.results.artifact-type-set-by)" }, { "description": "Collected image digests", "name": "IMAGES_PROCESSED", "type": "string", "value": "$(steps.app-set-outcome.results.images-processed)" } ], "steps": [ { "computeResources": { "limits": { "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "env": [ { "name": "PARAM_ARTIFACT_TYPE", "value": "introspect" }, { "name": "PARAM_IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" } ], "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "introspect", "results": [ { "description": "The type of artifact this task is considering.", "name": "artifact-type" }, { "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n", "name": "artifact-type-set-by" } ], "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n echo \"Artifact type will be determined by introspection.\"\n _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n # short circuit if the artifact type was set via parameter.\n echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n _CURRENT_ARCH=$(uname -m)\n _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n # to map them.\n case ${_CURRENT_ARCH} in\n \"aarch64\")\n _CURRENT_ARCH=\"arm64\"\n ;;\n \"x86_64\")\n _CURRENT_ARCH=\"amd64\"\n ;;\n *)\n ;;\n esac\n\n # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n else\n # If there is no image for the current OS and architecture, just use the first one in the list.\n _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n | jq '.Labels | keys | .[]' -r \\\n | { grep operators.operatorframework.io.bundle || true ;} \\\n | tee /tmp/ecosystem-image-labels\nthen\n echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n" }, { "computeResources": { "limits": { "memory": "64Mi" }, "requests": { "cpu": "50m", "memory": "64Mi" } }, "env": [ { "name": "PARAM_IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" } ], "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "generate-container-auth", "results": [ { "description": "Path to auth.json", "name": "auth-json-path" } ], "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n", "volumeMounts": [ { "mountPath": "/auth", "name": "auth" } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1", "name": "set-skip-for-bundles", "results": [ { "description": "A skipped tekton result for bundles.", "name": "test-output" } ], "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n", "volumeMounts": [ { "mountPath": "/bundle", "name": "pfltoutputdir" } ], "when": [ { "input": "$(steps.introspect.results.artifact-type)", "operator": "in", "values": [ "operatorbundle" ] } ] }, { "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "cpu": "1", "memory": "4Gi" } }, "env": [ { "name": "PFLT_DOCKERCONFIG", "value": "$(steps.generate-container-auth.results.auth-json-path)" }, { "name": "PFLT_KONFLUX", "value": "true" }, { "name": "PARAM_IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "PARAM_PLATFORM" } ], "image": "quay.io/opdev/preflight:stable@sha256:2f9816292f4dec166c03d913d7e8b9673f9313bc5220a5b82efb0923b81095b1", "name": "app-check", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n # Extract part after slash if present\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n\n # Validate against supported arch list. If it's not a known arch, return an error result\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 0\n ;;\n esac\n\n /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n /usr/local/bin/preflight check container \"$image_url\"\nfi\n", "volumeMounts": [ { "mountPath": "/artifacts", "name": "pfltoutputdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" }, { "mountPath": "/auth", "name": "auth", "readOnly": true } ], "when": [ { "input": "$(steps.introspect.results.artifact-type)", "operator": "in", "values": [ "application" ] } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "PARAM_IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" } ], "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "app-set-outcome", "results": [ { "description": "The overall outcome of this task.", "name": "test-output" }, { "description": "Processed image digests.", "name": "images-processed" } ], "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n # Check if results directory exits\n RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n continue\n fi\n # Process results\n if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{ result: $result,\n timestamp: $date,\n note: $note,\n successes: $successes|tonumber,\n failures: $failures|tonumber,\n warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nretry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" \u003e /tmp/raw-manifest.json\nimage_digest=\"sha256:$(sha256sum \u003c /tmp/raw-manifest.json | awk '{print $1}')\"\nif [[ ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n", "volumeMounts": [ { "mountPath": "/artifacts", "name": "pfltoutputdir" } ], "when": [ { "input": "$(steps.introspect.results.artifact-type)", "operator": "in", "values": [ "application" ] } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "final-outcome", "results": [ { "name": "test-output" } ], "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n", "volumeMounts": [ { "mountPath": "/mount", "name": "pfltoutputdir" } ] } ], "volumes": [ { "emptyDir": {}, "name": "pfltoutputdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "auth" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/commit_sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/pull_request_number": "17932", "build.appstudio.redhat.com/target_branch": "base-rqwphu", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-rqwphu", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vnfmfm", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-tysh-on-pull-request-qnq59", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-rqwphu\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-tysh", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0/records/523a0bb8-1ca2-4bc3-aec6-fbff1ff5cb3c", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"eventType\":\"pull_request\",\"pull_request-id\":17932}", "results.tekton.dev/result": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-cbe2bf1d305616ad79b6eca3050d39ba-2999c54300870831-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-tysh" }, "creationTimestamp": "2026-05-11T11:37:48Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-tysh", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRun": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRunUID": "51c2e613-7606-4a23-9e56-3207357407f0", "tekton.dev/pipelineTask": "apply-tags", "tekton.dev/task": "apply-tags", "test.appstudio.openshift.io/pr-group-sha": "9c95f35c5b734d70efd44adee99d3f6e912938a10e4b7e02acafdcbba95ebf" }, "name": "test-comp-tysh-on-pull-request-qnq59-apply-tags", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-tysh-on-pull-request-qnq59", "uid": "51c2e613-7606-4a23-9e56-3207357407f0" } ], "resourceVersion": "79224", "uid": "523a0bb8-1ca2-4bc3-aec6-fbff1ff5cb3c" }, "spec": { "params": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "IMAGE_DIGEST", "value": "sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-tysh", "taskRef": { "params": [ { "name": "name", "value": "apply-tags" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:a291081de7fb27f832c6fc3c4b078acf7e6162ca4c085db38b118ca87e8b5b66" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:37:53Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:37:53Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-tysh-on-pull-request-qnq59-apply-tags-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "a291081de7fb27f832c6fc3c4b078acf7e6162ca4c085db38b118ca87e8b5b66" }, "entryPoint": "apply-tags", "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags" } }, "spanContext": { "traceparent": "00-cbe2bf1d305616ad79b6eca3050d39ba-2999c54300870831-01" }, "startTime": "2026-05-11T11:37:49Z", "steps": [ { "container": "step-apply-additional-tags", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "apply-additional-tags", "provenance": {}, "terminated": { "containerID": "cri-o://d3987289a4f9438ab90a398954aa4153e8080ce8ffd7c182368959a9a14e0bda", "exitCode": 0, "finishedAt": "2026-05-11T11:37:53Z", "reason": "Completed", "startedAt": "2026-05-11T11:37:52Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Applies additional tags to the built image.", "params": [ { "description": "Image repository and tag reference of the the built image.", "name": "IMAGE_URL", "type": "string" }, { "description": "Image digest of the built image.", "name": "IMAGE_DIGEST", "type": "string" }, { "default": [], "description": "Additional tags that will be applied to the image in the registry.", "name": "ADDITIONAL_TAGS", "type": "array" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "info", "description": "Log level to use in the task. See golang logrus docs for available levels.", "name": "LOG_LEVEL", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "args": [ "--image-url", "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "--digest", "sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195", "--tags", "--tags-from-image-label", "konflux.additional-tags" ], "command": [ "konflux-build-cli", "image", "apply-tags" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "apply-additional-tags" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/commit_sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/pull_request_number": "17932", "build.appstudio.redhat.com/target_branch": "base-rqwphu", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5105b11d67", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-rqwphu", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vnfmfm", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-tysh-on-pull-request-qnq59", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-rqwphu\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-tysh", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0/records/38910e86-c533-45cc-af61-1566232bffef", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"eventType\":\"pull_request\",\"pull_request-id\":17932}", "results.tekton.dev/result": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-cbe2bf1d305616ad79b6eca3050d39ba-d138cc252c37bcf0-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-tysh" }, "creationTimestamp": "2026-05-11T11:37:00Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-tysh", "build.appstudio.redhat.com/build_type": "docker", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRun": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRunUID": "51c2e613-7606-4a23-9e56-3207357407f0", "tekton.dev/pipelineTask": "build-container", "tekton.dev/task": "buildah-min", "test.appstudio.openshift.io/pr-group-sha": "9c95f35c5b734d70efd44adee99d3f6e912938a10e4b7e02acafdcbba95ebf" }, "name": "test-comp-tysh-on-pull-request-qnq59-build-container", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-tysh-on-pull-request-qnq59", "uid": "51c2e613-7606-4a23-9e56-3207357407f0" } ], "resourceVersion": "78278", "uid": "38910e86-c533-45cc-af61-1566232bffef" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "DOCKERFILE", "value": "docker/Dockerfile" }, { "name": "CONTEXT", "value": "." }, { "name": "HERMETIC", "value": "false" }, { "name": "PREFETCH_INPUT", "value": "" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "6h" }, { "name": "COMMIT_SHA", "value": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "BUILD_ARGS", "value": [] }, { "name": "BUILD_ARGS_FILE", "value": "" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SOURCE_URL", "value": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic" }, { "name": "BUILDAH_FORMAT", "value": "oci" }, { "name": "HTTP_PROXY", "value": "" }, { "name": "NO_PROXY", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-tysh", "taskRef": { "params": [ { "name": "name", "value": "buildah-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-buildah-min:0.9" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "source", "persistentVolumeClaim": { "claimName": "pvc-3e54627ae0" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:37:35Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:37:35Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-tysh-on-pull-request-qnq59-build-container-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "83455b969b5b0f5e8cd96708b393343123754ec01d3d3cdaf531208693978a50" }, "entryPoint": "buildah-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah-min" } }, "results": [ { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf@sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "SBOM_BLOB_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh@sha256:e11bd4a066083b3851b3b9d8c43ee6d4a8d8cdc129df677a97aba15eb401ad92" } ], "spanContext": { "traceparent": "00-cbe2bf1d305616ad79b6eca3050d39ba-d138cc252c37bcf0-01" }, "startTime": "2026-05-11T11:37:00Z", "steps": [ { "container": "step-build", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "build", "provenance": {}, "terminated": { "containerID": "cri-o://d3e3a4d7f00bc49147ef53046323cb31276c69dc91b8a8c9142cb3ebe5d17c06", "exitCode": 0, "finishedAt": "2026-05-11T11:37:15Z", "reason": "Completed", "startedAt": "2026-05-11T11:37:07Z" }, "terminationReason": "Completed" }, { "container": "step-push", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "push", "provenance": {}, "terminated": { "containerID": "cri-o://4c235fda1cb9ff78708004e1566492ad3c24c52980a76c7ebb294c49803180af", "exitCode": 0, "finishedAt": "2026-05-11T11:37:22Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf@sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:37:16Z" }, "terminationReason": "Completed" }, { "container": "step-sbom-syft-generate", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "sbom-syft-generate", "provenance": {}, "terminated": { "containerID": "cri-o://de3f9ae655b05a1b312555f60326cc31a54dfdf2d4d676de9f9cf05f5ba3e2f7", "exitCode": 0, "finishedAt": "2026-05-11T11:37:27Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf@sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:37:22Z" }, "terminationReason": "Completed" }, { "container": "step-prepare-sboms", "imageID": "quay.io/konflux-ci/mobster@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "provenance": {}, "terminated": { "containerID": "cri-o://2ccb3bac63a066401bfc87dffc21e6b5fe75f538bd4287709a24673a41b0630b", "exitCode": 0, "finishedAt": "2026-05-11T11:37:31Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf@sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:37:27Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://3173567ed3b062bcd94c51d51b8a4722867cf21bb8ed8917c3af76190a78c084", "exitCode": 0, "finishedAt": "2026-05-11T11:37:35Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf@sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh@sha256:e11bd4a066083b3851b3b9d8c43ee6d4a8d8cdc129df677a97aba15eb401ad92\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:37:31Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.", "params": [ { "description": "Reference of the image buildah will produce.", "name": "IMAGE", "type": "string" }, { "default": "./Dockerfile", "description": "Path to the Dockerfile to build.", "name": "DOCKERFILE", "type": "string" }, { "default": ".", "description": "Path to the directory to use as context.", "name": "CONTEXT", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "default": "false", "description": "Determines if build will be executed without network access.", "name": "HERMETIC", "type": "string" }, { "default": "", "description": "In case it is not empty, the prefetched content should be made available to the build.", "name": "PREFETCH_INPUT", "type": "string" }, { "default": "", "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.", "name": "IMAGE_EXPIRES_AFTER", "type": "string" }, { "default": "", "description": "The image is built from this commit.", "name": "COMMIT_SHA", "type": "string" }, { "default": "repos.d", "description": "Path in the git repository in which yum repository files are stored", "name": "YUM_REPOS_D_SRC", "type": "string" }, { "default": "fetched.repos.d", "description": "Path in source workspace where dynamically-fetched repos are present", "name": "YUM_REPOS_D_FETCHED", "type": "string" }, { "default": "/etc/yum.repos.d", "description": "Target path on the container in which yum repository files should be made available", "name": "YUM_REPOS_D_TARGET", "type": "string" }, { "default": "", "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.", "name": "TARGET_STAGE", "type": "string" }, { "default": "etc-pki-entitlement", "description": "Name of secret which contains the entitlement certificates", "name": "ENTITLEMENT_SECRET", "type": "string" }, { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "default": "does-not-exist", "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET", "name": "ADDITIONAL_SECRET", "type": "string" }, { "default": [], "description": "Array of --build-arg values (\"arg=value\" strings)", "name": "BUILD_ARGS", "type": "array" }, { "default": [], "description": "Array of --env values (\"env=value\" strings)", "name": "ENV_VARS", "type": "array" }, { "default": "", "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file", "name": "BUILD_ARGS_FILE", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "true", "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection", "name": "ICM_KEEP_COMPAT_LOCATION", "type": "string" }, { "default": "", "description": "Comma separated list of extra capabilities to add when running 'buildah build'", "name": "ADD_CAPABILITIES", "type": "string" }, { "default": "false", "description": "Squash all new and previous layers added as a part of this build, as per --squash", "name": "SQUASH", "type": "string" }, { "default": "overlay", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "true", "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages", "name": "SKIP_UNUSED_STAGES", "type": "string" }, { "default": [], "description": "Additional key=value labels that should be applied to the image", "name": "LABELS", "type": "array" }, { "default": [], "description": "Additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS", "type": "array" }, { "default": "", "description": "Path to a file with additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS_FILE", "type": "string" }, { "default": "false", "description": "Whether to enable privileged mode, should be used only with remote VMs", "name": "PRIVILEGED_NESTED", "type": "string" }, { "default": "false", "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled", "name": "SKIP_SBOM_GENERATION", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.", "name": "SBOM_TYPE", "type": "string" }, { "default": "", "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection", "name": "SBOM_SYFT_SELECT_CATALOGERS", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.", "name": "SBOM_SOURCE_SCAN_ENABLED", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": [], "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings", "name": "ADDITIONAL_BASE_IMAGES", "type": "array" }, { "default": "", "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).", "name": "WORKINGDIR_MOUNT", "type": "string" }, { "default": "true", "description": "Determines if the image inherits the base image labels.", "name": "INHERIT_BASE_IMAGE_LABELS", "type": "string" }, { "default": "", "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.", "name": "HTTP_PROXY", "type": "string" }, { "default": "", "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.", "name": "NO_PROXY", "type": "string" }, { "default": "caching-ca-bundle", "description": "The name of the ConfigMap to read proxy CA bundle data from.", "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.", "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "", "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.", "name": "BUILD_TIMESTAMP", "type": "string" }, { "default": "", "description": "The image is built from this URL.", "name": "SOURCE_URL", "type": "string" }, { "default": "true", "description": "Determines if SBOM will be contextualized.", "name": "CONTEXTUALIZE_SBOM", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "false", "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.", "name": "OMIT_HISTORY", "type": "string" }, { "default": "", "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.", "name": "SOURCE_DATE_EPOCH", "type": "string" }, { "default": "false", "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.", "name": "REWRITE_TIMESTAMP", "type": "string" }, { "default": "false", "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.", "name": "SKIP_INJECTIONS", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "Image reference of the built image", "name": "IMAGE_REF", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": { "limits": { "memory": "2Gi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "env": [ { "name": "STORAGE_DRIVER", "value": "overlay" }, { "name": "HERMETIC", "value": "false" }, { "name": "SOURCE_CODE_DIR", "value": "source" }, { "name": "CONTEXT", "value": "." }, { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "6h" }, { "name": "YUM_REPOS_D_SRC", "value": "repos.d" }, { "name": "YUM_REPOS_D_FETCHED", "value": "fetched.repos.d" }, { "name": "YUM_REPOS_D_TARGET", "value": "/etc/yum.repos.d" }, { "name": "TARGET_STAGE" }, { "name": "ENTITLEMENT_SECRET", "value": "etc-pki-entitlement" }, { "name": "ACTIVATION_KEY", "value": "activation-key" }, { "name": "ADDITIONAL_SECRET", "value": "does-not-exist" }, { "name": "BUILD_ARGS_FILE" }, { "name": "ADD_CAPABILITIES" }, { "name": "SQUASH", "value": "false" }, { "name": "SKIP_UNUSED_STAGES", "value": "true" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SKIP_SBOM_GENERATION", "value": "false" }, { "name": "SBOM_TYPE", "value": "spdx" }, { "name": "SBOM_SYFT_SELECT_CATALOGERS" }, { "name": "SBOM_SOURCE_SCAN_ENABLED", "value": "true" }, { "name": "ANNOTATIONS_FILE" }, { "name": "WORKINGDIR_MOUNT" }, { "name": "INHERIT_BASE_IMAGE_LABELS", "value": "true" }, { "name": "BUILD_TIMESTAMP" }, { "name": "CONTEXTUALIZE_SBOM", "value": "true" }, { "name": "SBOM_SKIP_VALIDATION", "value": "true" }, { "name": "SKIP_INJECTIONS", "value": "false" } ], "imagePullPolicy": "IfNotPresent", "volumeMounts": [ { "mountPath": "/shared", "name": "shared" } ] }, "steps": [ { "args": [ "--build-args", "--env", "--labels", "--annotations" ], "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "cpu": "100m", "memory": "1Gi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "COMMIT_SHA", "value": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "SOURCE_URL", "value": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic" }, { "name": "DOCKERFILE", "value": "docker/Dockerfile" }, { "name": "BUILDAH_HTTP_PROXY" }, { "name": "BUILDAH_NO_PROXY" }, { "name": "ICM_KEEP_COMPAT_LOCATION", "value": "true" }, { "name": "BUILDAH_OMIT_HISTORY", "value": "false" }, { "name": "BUILDAH_SOURCE_DATE_EPOCH" }, { "name": "BUILDAH_REWRITE_TIMESTAMP", "value": "false" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "build", "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n fi\n fi\n}\n\nfunction unset_proxy {\n echo \"[$(date --utc -Ins)] Unsetting proxy\"\n unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n \"$source_dir_path\" | \"$source_dir_path/\"*)\n # path is valid, do nothing\n ;;\n *)\n echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n echo \"Source path: $source_dir_path\" \u003e\u00262\n echo \"Resolved path: $context_dir_path\" \u003e\u00262\n exit 1\n ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n # Instrumented builds (SAST) use this custom dockerfile step as their base\n dockerfile_path=\"$DOCKERFILE\"\nelse\n echo \"Cannot find Dockerfile $DOCKERFILE\"\n exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n while IFS= read -r line || [[ -n \"$line\" ]]; do\n # Skip empty lines and comments\n if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n ANNOTATIONS+=(\"--annotation\" \"$line\")\n fi\n done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --build-args)\n shift\n # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n ;;\n --env)\n shift\n # Collect env entries of the form KEY=value\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n ;;\n --labels)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n ;;\n --annotations)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--pull=never\")\n UNSHARE_ARGS+=(\"--net\")\n buildah_retries=3\n\n set_proxy\n\n for image in $BASE_IMAGES; do\n if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n then\n echo \"Failed to pull base image ${image}\"\n exit 1\n fi\n done\n\n unset_proxy\n\n echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n BUILDAH_ARGS+=(\"--cap-add=all\")\n BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n fi\n if [ -n \"$BUILD_TIMESTAMP\" ]; then\n echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n exit 1\n fi\n # but do set it so that we get all the labels/annotations associated with it\n BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n # Identify the current arch to filter the prefetched content\n PREFETCH_ARCH=\"$(uname -m)\"\n echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n echo \"Prefetched content will be made available\"\n\n cp -r \"/workspace/source/cachi2\" /tmp/\n chmod -R go+rwX /tmp/cachi2\n\n # In case RPMs were prefetched and this is a multi-arch build,\n # clean up the packages that do not match the architecture being built\n RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n echo \"Removing prefetched RPMs from non-matching architectures\"\n PREFETCH_ARCH=\"$(uname -m)\"\n for path in \"$RPM_PREFETCH_DIR\"/*; do\n if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n echo \"Removing: $path\"\n rm -rf \"$path\"\n else\n echo \"Keeping: $path\"\n fi\n done\n fi\n\n VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n sed -E -i \\\n -e 'H;1h;$!d;x' \\\n -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n @igM' \\\n \"$dockerfile_copy\"\n\n prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n mkdir -p \"$YUM_REPOS_D_FETCHED\"\n if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n fi\n fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n \"--label\" \"architecture=$(uname -m)\"\n \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n FINAL_BASE_IMAGE=$(\n # Get the base image of the final stage\n # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n # Run the find_root_stage() function on the final stage\n # If the final stage is scratch or oci-archive, return empty\n jq -r '.Stages as $all_stages |\n def find_root_stage($stage):\n if $stage.From.Stage then\n find_root_stage($all_stages[$stage.From.Stage.Index])\n else\n $stage\n end;\n\n find_root_stage(.Stages[-1]) |\n if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n empty\n else\n .BaseName\n end' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n )\n if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n set_proxy\n buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n unset_proxy\n buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n if [[ \"$label\" != \"--label\" ]]; then\n label_pairs+=(\"$label\")\n fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n echo \"\" \u003e\u003e\"$dockerfile_copy\"\n # Always write labels.json to the new standard location\n echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n # Conditionally write to the old location for backward compatibility\n if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n cp \"$containerignore\" \"$ignorefile_copy\"\n {\n echo \"\"\n echo \"!/labels.json\"\n echo \"!/content-sets.json\"\n } \u003e\u003e \"$ignorefile_copy\"\n BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n# to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n# shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n mkdir -p /shared/rhsm/etc/pki/entitlement\n mkdir -p /shared/rhsm/etc/pki/consumer\n\n VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n echo \"Adding activation key to the build\"\n\n if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n # user is not running registration in the Containerfile: pre-register.\n echo \"Pre-registering with subscription manager.\"\n export RETRY_MAX_TRIES=6\n if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n then\n echo \"Subscription-manager register failed\"\n exit 1\n fi\n unset RETRY_MAX_TRIES\n trap 'subscription-manager unregister || true' EXIT\n\n # copy generated certificates to /shared volume\n cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n exit 1\n fi\n # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n # (we set the workdir using 'unshare -w')\n context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n # Instrumented builds (SAST) use this step as their base and add some other tools.\n while read -r volume_mount; do\n VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n while read -r filename; do\n echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n buildah build\n \"${VOLUME_MOUNTS[@]}\"\n \"${BUILDAH_ARGS[@]}\"\n \"${LABELS[@]}\"\n \"${ANNOTATIONS[@]}\"\n --tls-verify=\"$TLSVERIFY\" --no-cache\n --ulimit nofile=4096:4096\n --http-proxy=false\n -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n echo \"Making copy of sbom-prefetch.json\"\n cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n # Get the image pullspec and filter out a tag if it is not set\n # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n # if buildah did not use that particular image during build because it was skipped\n if [ -n \"$base_image_digest\" ]; then\n echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci:$IMAGE\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/entitlement", "name": "etc-pki-entitlement" }, { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/additional-secret", "name": "additional-secret" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/proxy-ca-bundle", "name": "proxy-ca-bundle", "readOnly": true } ], "workingDir": "/workspace/source" }, { "computeResources": {}, "env": [ { "name": "HOME", "value": "/root" }, { "name": "BUILDAH_FORMAT", "value": "oci" }, { "name": "TASKRUN_NAME", "value": "test-comp-tysh-on-pull-request-qnq59-build-container" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "push", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n \"$IMAGE\" \\\n \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n echo \"Failed to push image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n \"docker://$IMAGE\"\nthen\n echo \"Failed to push image to $IMAGE\"\n exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n echo -n \"${IMAGE}@\"\n cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n [rekorInternalUrl]=REKOR_URL\n [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n [rekorInternalUrl]=rekorExternalUrl\n [fulcioInternalUrl]=fulcioExternalUrl\n [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n if [ -n \"${val}\" ]; then\n echo \"Using fallback ${fallback_key} instead of ${key}\"\n fi\n fi\n if [ -z \"${val}\" ]; then\n missing=\"${missing:+${missing}, }${key}\"\n else\n declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n configured=$((configured + 1))\n fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n echo \"Keyless signing is enabled\"\n\n # Save signing config for upload-sbom step\n for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n envvar=\"${SIGNING_KEY_MAP[$key]}\"\n printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n done \u003e /shared/signing-config.env\n\n echo \"Using Rekor URL: ${REKOR_URL}\"\n echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n echo \"[$(date --utc -Ins)] Sign image\"\n echo \"Signing image ${IMAGE_REF} using keyless signing\"\n if ! retry cosign sign -y \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"\n then\n echo \"Failed to sign image\" \u003e\u00262\n exit 1\n fi\nelif [ \"${configured}\" -eq 0 ]; then\n echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/workspace/source" }, { "computeResources": {}, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "sbom-syft-generate", "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\ncase $SBOM_TYPE in\n cyclonedx)\n syft_sbom_type=cyclonedx-json@1.5 ;;\n spdx)\n syft_sbom_type=spdx-json@2.3 ;;\n *)\n echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n exit 1\n ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n oci-dir:\"${OCI_DIR}\"\n --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n echo \"Running syft on the source code\"\n syft \"${syft_source_args[@]}\"\nelse\n echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/workspace/source/source" }, { "args": [ "--additional-base-images" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "10m", "memory": "128Mi" } }, "image": "quay.io/konflux-ci/mobster:1.2.0-1774868067@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --additional-base-images)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n generate\n --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-image\n --from-syft \"/workspace/source/sbom-image.json\"\n --image-pullspec \"$IMAGE_URL\"\n --image-digest \"$IMAGE_DIGEST\"\n --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n", "securityContext": { "runAsUser": 0 }, "workingDir": "/workspace/source" }, { "computeResources": { "limits": { "memory": "2Gi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n # shellcheck source=/dev/null\n source /shared/signing-config.env\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n # spdx export data as rawstring, we want structured json as cyclonedx\n ATT_SBOM_TYPE=\"spdxjson\"\n fi\n\n echo \"[$(date --utc -Ins)] Sign SBOM\"\n echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"\n then\n echo \"Failed to sign SBOM\" \u003e\u00262\n exit 1\n fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/workspace/source" } ], "volumes": [ { "emptyDir": {}, "name": "varlibcontainers" }, { "emptyDir": {}, "name": "shared" }, { "name": "etc-pki-entitlement", "secret": { "optional": true, "secretName": "etc-pki-entitlement" } }, { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "name": "additional-secret", "secret": { "optional": true, "secretName": "does-not-exist" } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "caching-ca-bundle", "optional": true }, "name": "proxy-ca-bundle" }, { "name": "oidc-token", "projected": { "sources": [ { "serviceAccountToken": { "audience": "sigstore", "expirationSeconds": 600, "path": "oidc-token" } } ] } } ], "workspaces": [ { "description": "Workspace containing the source code to build.", "name": "source" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/commit_sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/pull_request_number": "17932", "build.appstudio.redhat.com/target_branch": "base-rqwphu", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-rqwphu", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vnfmfm", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-tysh-on-pull-request-qnq59", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-rqwphu\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-tysh", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0/records/0867a3fe-0b69-4256-8157-e0f22b9ebe8f", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"eventType\":\"pull_request\",\"pull_request-id\":17932}", "results.tekton.dev/result": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-cbe2bf1d305616ad79b6eca3050d39ba-4d083a5430840336-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-tysh" }, "creationTimestamp": "2026-05-11T11:37:36Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-tysh", "build.appstudio.redhat.com/build_type": "docker", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRun": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRunUID": "51c2e613-7606-4a23-9e56-3207357407f0", "tekton.dev/pipelineTask": "build-image-index", "tekton.dev/task": "build-image-index", "test.appstudio.openshift.io/pr-group-sha": "9c95f35c5b734d70efd44adee99d3f6e912938a10e4b7e02acafdcbba95ebf" }, "name": "test-comp-tysh-on-pull-request-qnq59-build-image-index", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-tysh-on-pull-request-qnq59", "uid": "51c2e613-7606-4a23-9e56-3207357407f0" } ], "resourceVersion": "79040", "uid": "0867a3fe-0b69-4256-8157-e0f22b9ebe8f" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "IMAGES", "value": [ "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf@sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" ] }, { "name": "BUILDAH_FORMAT", "value": "oci" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-tysh", "taskRef": { "params": [ { "name": "name", "value": "build-image-index" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.3@sha256:550afde50349e22ec11191ea0db9a49395ab46fef4e8317d820b6e946677ebeb" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:37:47Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:37:47Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-tysh-on-pull-request-qnq59-build-image-index-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "550afde50349e22ec11191ea0db9a49395ab46fef4e8317d820b6e946677ebeb" }, "entryPoint": "build-image-index", "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index" } }, "results": [ { "name": "IMAGES", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh@sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" }, { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh@sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" } ], "spanContext": { "traceparent": "00-cbe2bf1d305616ad79b6eca3050d39ba-4d083a5430840336-01" }, "startTime": "2026-05-11T11:37:37Z", "steps": [ { "container": "step-build", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "build", "provenance": {}, "terminated": { "containerID": "cri-o://62e7efee1bf3ff2e928b987de97972f8cdb03e8d335b8bf4ad46e9fecbf33422", "exitCode": 0, "finishedAt": "2026-05-11T11:37:43Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh@sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh@sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:37:41Z" }, "terminationReason": "Completed" }, { "container": "step-create-sbom", "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094", "name": "create-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://17947523dc45fdee969c5253d1a5934b2eb362d141ac4768d14d957d6d82c4de", "exitCode": 0, "finishedAt": "2026-05-11T11:37:44Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh@sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh@sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:37:44Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://405433cd47c8689fa0bbf191e3215a480818115e634bf7535a95c899be255a83", "exitCode": 0, "finishedAt": "2026-05-11T11:37:46Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh@sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh@sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:37:44Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "This takes existing Image Manifests and combines them in an Image Index.", "params": [ { "description": "The target image and tag where the image will be pushed to.", "name": "IMAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "description": "List of Image Manifests to be referenced by the Image Index", "name": "IMAGES", "type": "array" }, { "default": "true", "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.", "name": "ALWAYS_BUILD_INDEX", "type": "string" }, { "default": "vfs", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": "false", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "List of all referenced image manifests", "name": "IMAGES", "type": "string" }, { "description": "Image reference of the built image containing both the repository and the digest", "name": "IMAGE_REF", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "BUILDAH_FORMAT", "value": "oci" }, { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "vfs" } ], "volumeMounts": [ { "mountPath": "/index-build-data", "name": "shared-dir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf@sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" ], "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "cpu": "250m", "memory": "4Gi" } }, "image": "quay.io/konflux-ci/konflux-build-cli:latest@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "build", "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\n\necho \"Running konflux-build-cli\"\nif ! konflux-build-cli image build-image-index \\\n --image \"$IMAGE\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --buildah-format \"$BUILDAH_FORMAT\" \\\n --always-build-index=\"$ALWAYS_BUILD_INDEX\" \\\n --additional-tags \"test-comp-tysh-on-pull-request-qnq59-build-image-index\" \\\n --output-manifest-path \"$MANIFEST_DATA_FILE\" \\\n --result-path-image-digest \"/tekton/results/IMAGE_DIGEST\" \\\n --result-path-image-url \"/tekton/results/IMAGE_URL\" \\\n --result-path-image-ref \"/tekton/results/IMAGE_REF\" \\\n --result-path-images \"/tekton/results/IMAGES\" \\\n --images \"$@\"; then\n echo \"Failed to build image index\"\n exit 1\nfi\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 } }, { "computeResources": { "limits": { "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094", "name": "create-sbom", "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-index\n --index-image-pullspec \"$IMAGE_URL\"\n --index-image-digest \"$IMAGE_DIGEST\"\n --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n" }, { "computeResources": { "limits": { "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 } } ], "volumes": [ { "emptyDir": {}, "name": "shared-dir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/commit_sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/pull_request_number": "17932", "build.appstudio.redhat.com/target_branch": "base-rqwphu", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-rqwphu", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vnfmfm", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-tysh-on-pull-request-qnq59", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-rqwphu\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-tysh", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0/records/4530b834-c293-4ff2-aab1-cb7a8debd415", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"eventType\":\"pull_request\",\"pull_request-id\":17932}", "results.tekton.dev/result": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-cbe2bf1d305616ad79b6eca3050d39ba-95d329291f4ad97a-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-tysh" }, "creationTimestamp": "2026-05-11T11:37:47Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-tysh", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRun": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRunUID": "51c2e613-7606-4a23-9e56-3207357407f0", "tekton.dev/pipelineTask": "clair-scan", "tekton.dev/task": "clair-scan", "test.appstudio.openshift.io/pr-group-sha": "9c95f35c5b734d70efd44adee99d3f6e912938a10e4b7e02acafdcbba95ebf" }, "name": "test-comp-tysh-on-pull-request-qnq59-clair-scan", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-tysh-on-pull-request-qnq59", "uid": "51c2e613-7606-4a23-9e56-3207357407f0" } ], "resourceVersion": "79522", "uid": "4530b834-c293-4ff2-aab1-cb7a8debd415" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-tysh", "taskRef": { "params": [ { "name": "name", "value": "clair-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:38:00Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:38:00Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-tysh-on-pull-request-qnq59-clair-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609" }, "entryPoint": "clair-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\", \"digests\": [\"sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\"]}}\n" }, { "name": "REPORTS", "type": "string", "value": "{\"sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\":\"sha256:94d73144d169154bd8f43ccb873c3a9b69701844e08e373fe2fe0abd5c436cd9\"}\n" }, { "name": "SCAN_OUTPUT", "type": "string", "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":1,\"low\":89,\"unknown\":117}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:38:00+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-cbe2bf1d305616ad79b6eca3050d39ba-95d329291f4ad97a-01" }, "startTime": "2026-05-11T11:37:47Z", "steps": [ { "container": "step-get-image-manifests", "imageID": "quay.io/konflux-ci/konflux-test@sha256:52cc21d3a3cd44dac8c77638268ef1f83f908008e98529603048b8c42b544091", "name": "get-image-manifests", "provenance": {}, "terminated": { "containerID": "cri-o://25fb763aa5c11cf411afb64506d2cff7bcf8fecb525da1835b501dbfdfdbbe34", "exitCode": 0, "finishedAt": "2026-05-11T11:37:54Z", "reason": "Completed", "startedAt": "2026-05-11T11:37:53Z" }, "terminationReason": "Completed" }, { "container": "step-get-vulnerabilities", "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:932d686d7695528116c4988e147284ae6faec0fe2333c362af01c70d5eb1448c", "name": "get-vulnerabilities", "provenance": {}, "terminated": { "containerID": "cri-o://8854a7b5a29c2bedea07f189f4f9f09927451ace3c4085b7b19e400421b649e0", "exitCode": 0, "finishedAt": "2026-05-11T11:37:56Z", "reason": "Completed", "startedAt": "2026-05-11T11:37:54Z" }, "terminationReason": "Completed" }, { "container": "step-oci-attach-report", "imageID": "quay.io/konflux-ci/oras@sha256:a8d8dedde37815c2994c40eb5cb7381dbc6b26b833e0f736a3a752d993206c6b", "name": "oci-attach-report", "provenance": {}, "terminated": { "containerID": "cri-o://d30bffc6b75bf4a237526df83d13f8acd29f36d7c443c9a6d08c660c2b5e7192", "exitCode": 0, "finishedAt": "2026-05-11T11:37:58Z", "reason": "Completed", "startedAt": "2026-05-11T11:37:57Z" }, "terminationReason": "Completed" }, { "container": "step-conftest-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:52cc21d3a3cd44dac8c77638268ef1f83f908008e98529603048b8c42b544091", "name": "conftest-vulnerabilities", "provenance": {}, "terminated": { "containerID": "cri-o://65d9447fbe8a2f70e069431c90307aa55f23bf8ec2e0565f7d5d83181458842c", "exitCode": 0, "finishedAt": "2026-05-11T11:38:00Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\\\", \\\"digests\\\": [\\\"sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\\\":\\\"sha256:94d73144d169154bd8f43ccb873c3a9b69701844e08e373fe2fe0abd5c436cd9\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":1,\\\"low\\\":89,\\\"unknown\\\":117}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:38:00+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:37:59Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "The platform built by.", "name": "image-platform", "type": "string" }, { "default": "", "description": "unused, should be removed in next task version.", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-oci-attach-report", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Clair scan result.", "name": "SCAN_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" }, { "description": "Mapping of image digests to report digests", "name": "REPORTS", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "IMAGE_DIGEST", "value": "sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d", "name": "get-image-manifests", "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n done\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } }, { "computeResources": { "limits": { "cpu": "800m", "memory": "7Gi" }, "requests": { "cpu": "800m", "memory": "7Gi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "IMAGE_DIGEST", "value": "sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" }, { "name": "IMAGE_PLATFORM" } ], "image": "quay.io/konflux-ci/clair-in-ci:v1", "imagePullPolicy": "Always", "name": "get-vulnerabilities", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee \"clair-report-$2.json\"; } \u0026\u0026 \\\n { retry clair-action convert --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n local arch=\"$1\"\n local sha_file=\"image-manifest-$arch.sha\"\n\n if [ -e \"$sha_file\" ]; then\n local arch_sha\n arch_sha=$(\u003c\"$sha_file\")\n local digest=\"${imagewithouttag}@${arch_sha}\"\n\n echo \"Running clair-action on $arch image manifest...\"\n clair_report \"$digest\" \"$arch\" || true\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n # Validate against supported arch list. If it's not a known arch, fallback to amd64\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 0\n ;;\n esac\n\n run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n for sha_file in image-manifest-*.sha; do\n if [ -e \"$sha_file\" ]; then\n arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n run_clair_on_arch \"$arch\"\n fi\n done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_OCI_ATTACH_REPORT", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705", "name": "oci-attach-report", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n echo 'OCI attach report skipped by parameter.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n echo 'No Clair reports generated. Skipping upload.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n report_file=\"$1\"\n arch=\"${report_file/*-}\"\n echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n image_ref=\"${repository}@${digest}\"\n echo \"Attaching $f to ${image_ref}\"\n if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n then\n echo \"Failed to attach ${f} to ${image_ref}\"\n exit 1\n fi\n # shellcheck disable=SC2016\n reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d", "name": "conftest-vulnerabilities", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n if [ ! -s \"$file\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n else\n /usr/bin/conftest test --no-fail $file \\\n --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n fi\n\n #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n result=$(jq -rce \\\n '{\n vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n },\n unpatched_vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n }\n }' \"$file\")\n\n scan_result=$(jq -s -rce \\\n '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/commit_sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/pull_request_number": "17932", "build.appstudio.redhat.com/target_branch": "base-rqwphu", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-rqwphu", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vnfmfm", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-tysh-on-pull-request-qnq59", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-rqwphu\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-tysh", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0/records/db960840-4720-4502-ba43-81a23e11c802", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"eventType\":\"pull_request\",\"pull_request-id\":17932}", "results.tekton.dev/result": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "virus, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-cbe2bf1d305616ad79b6eca3050d39ba-ca4bb95f56725a5c-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-tysh" }, "creationTimestamp": "2026-05-11T11:37:47Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-tysh", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRun": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRunUID": "51c2e613-7606-4a23-9e56-3207357407f0", "tekton.dev/pipelineTask": "clamav-scan", "tekton.dev/task": "clamav-scan", "test.appstudio.openshift.io/pr-group-sha": "9c95f35c5b734d70efd44adee99d3f6e912938a10e4b7e02acafdcbba95ebf" }, "name": "test-comp-tysh-on-pull-request-qnq59-clamav-scan", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-tysh-on-pull-request-qnq59", "uid": "51c2e613-7606-4a23-9e56-3207357407f0" } ], "resourceVersion": "81051", "uid": "db960840-4720-4502-ba43-81a23e11c802" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-tysh", "taskRef": { "params": [ { "name": "name", "value": "clamav-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:38:44Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:38:44Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-tysh-on-pull-request-qnq59-clamav-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a" }, "entryPoint": "clamav-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\", \"digests\": [\"sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"timestamp\":\"1778499521\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n" } ], "spanContext": { "traceparent": "00-cbe2bf1d305616ad79b6eca3050d39ba-ca4bb95f56725a5c-01" }, "startTime": "2026-05-11T11:37:47Z", "steps": [ { "container": "step-extract-and-scan-image", "imageID": "quay.io/konflux-ci/clamav-db@sha256:83085885f6c81f58dc642c8be1e2a8a3c46410ff0b084005a13b20078485405d", "name": "extract-and-scan-image", "provenance": {}, "terminated": { "containerID": "cri-o://a94db03998fb14f04d17e5052501205136bf5d777f8ea2ca11b9804816d911b5", "exitCode": 0, "finishedAt": "2026-05-11T11:38:42Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\\\", \\\"digests\\\": [\\\"sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1778499521\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:37:54Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:983fd3222163307ea38019b54862873ad3443ecba85173aa866a8d2a105338de", "name": "upload", "provenance": {}, "terminated": { "containerID": "cri-o://4d658e5bd6f5c0719a7df20d641a614607a30672e63b80622b0678a1813b14dd", "exitCode": 0, "finishedAt": "2026-05-11T11:38:43Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\\\", \\\"digests\\\": [\\\"sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1778499521\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:42Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "Image arch.", "name": "image-arch", "type": "string" }, { "default": "", "description": "unused", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "8", "description": "Maximum number of threads clamd runs.", "name": "clamd-max-threads", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-upload", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "7300m", "memory": "12Gi" }, "requests": { "cpu": "7300m", "memory": "12Gi" } }, "env": [ { "name": "HOME", "value": "/work" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "IMAGE_DIGEST", "value": "sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" }, { "name": "IMAGE_ARCH" }, { "name": "MAX_THREADS", "value": "8" } ], "image": "quay.io/konflux-ci/clamav-db:latest", "name": "extract-and-scan-image", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n mkdir -p ~/.docker\n echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n# $1: destination - path to the content to scan\n# $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n# $3: digest - digest to add to digests_processed array\n# $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n local destination=\"$1\"\n local suffix=\"$2\"\n local digest=\"$3\"\n local scan_message=\"${4:-Scanning content}\"\n\n db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n echo \"$scan_message. This operation may take a while.\"\n clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n digests_processed+=(\"\\\"$digest\\\"\")\n\n if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n # OPA/EC requires structured data input, add clamAV log into json\n jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o json \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o appstudio \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n\n if [ -n \"$raw_manifest\" ]; then\n media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n # Determine if this is an OCI artifact (not a container image)\n # OCI artifacts typically have:\n # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n # - An explicit artifactType field that is not a container image type\n is_oci_artifact=false\n\n # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n is_oci_artifact=true\n fi\n\n # Check if artifactType is set and is not a container image type\n if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n is_oci_artifact=true\n fi\n\n if [ \"$is_oci_artifact\" = true ]; then\n # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n # This looks like a container image manifest, but get_image_manifests failed\n echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n else\n # Likely an OCI artifact with non-standard media type\n echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n fi\n else\n echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n echo \"Detected container image. Processing image manifests.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n # Proceed only if a specific arch is provided.\n # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n if [ -n \"$IMAGE_ARCH\" ]; then\n arch=\"${IMAGE_ARCH#*/}\"\n if [ \"${arch}\" = \"x86_64\" ]; then\n arch=\"amd64\"\n fi\n\n # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n arch=\"amd64\"\n ;;\n esac\n\n image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n fi\n\n while read -r arch arch_sha; do\n destination=$(echo content-$arch)\n mkdir -p \"$destination\"\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n if [ $? -ne 0 ]; then\n echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n exit 0\n fi\n\n # Scan and process container image for this architecture\n scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n {\n \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n \"namespace\" : $item.namespace,\n \"successes\" : (.successes + $item.successes),\n \"failures\" : (.failures + $item.failures),\n \"warnings\" : (.warnings + $item.warnings),\n \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_UPLOAD", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "IMAGE_DIGEST", "value": "sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n echo \"Upload skipped by parameter.\"\n exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n MEDIA_TYPE=text/vnd.clamav\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n MEDIA_TYPE=application/vnd.konflux.test_output+json\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n echo \"No files found. Skipping upload.\"\n exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n", "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" } ], "volumes": [ { "emptyDir": {}, "name": "dbfolder" }, { "emptyDir": {}, "name": "work" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/commit_sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/pull_request_number": "17932", "build.appstudio.redhat.com/target_branch": "base-rqwphu", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5105b11d67", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-rqwphu", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vnfmfm", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-tysh-on-pull-request-qnq59", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-rqwphu\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-tysh", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0/records/1e19f197-9f7f-4fef-9aa6-3ed7f7956b71", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"eventType\":\"pull_request\",\"pull_request-id\":17932}", "results.tekton.dev/result": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0", "results.tekton.dev/stored": "true", "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-cbe2bf1d305616ad79b6eca3050d39ba-e7c57d1b5a56e0e6-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-tysh" }, "creationTimestamp": "2026-05-11T11:36:37Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-tysh", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRun": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRunUID": "51c2e613-7606-4a23-9e56-3207357407f0", "tekton.dev/pipelineTask": "clone-repository", "tekton.dev/task": "git-clone", "test.appstudio.openshift.io/pr-group-sha": "9c95f35c5b734d70efd44adee99d3f6e912938a10e4b7e02acafdcbba95ebf" }, "name": "test-comp-tysh-on-pull-request-qnq59-clone-repository", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-tysh-on-pull-request-qnq59", "uid": "51c2e613-7606-4a23-9e56-3207357407f0" } ], "resourceVersion": "76880", "uid": "1e19f197-9f7f-4fef-9aa6-3ed7f7956b71" }, "spec": { "params": [ { "name": "url", "value": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic" }, { "name": "revision", "value": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-tysh", "taskRef": { "params": [ { "name": "name", "value": "git-clone" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "output", "persistentVolumeClaim": { "claimName": "pvc-3e54627ae0" } }, { "name": "basic-auth", "secret": { "secretName": "pac-gitauth-vnfmfm" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:36:50Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:36:50Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-tysh-on-pull-request-qnq59-clone-repository-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21" }, "entryPoint": "git-clone", "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone" } }, "results": [ { "name": "CHAINS-GIT_COMMIT", "type": "string", "value": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "CHAINS-GIT_URL", "type": "string", "value": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic" }, { "name": "commit", "type": "string", "value": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "commit-timestamp", "type": "string", "value": "1778499379" }, { "name": "short-commit", "type": "string", "value": "2cfcb9d" }, { "name": "url", "type": "string", "value": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic" } ], "spanContext": { "traceparent": "00-cbe2bf1d305616ad79b6eca3050d39ba-e7c57d1b5a56e0e6-01" }, "startTime": "2026-05-11T11:36:38Z", "steps": [ { "container": "step-clone", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "provenance": {}, "terminated": { "containerID": "cri-o://ca2d706fe2a7bf218df44741b7ff98052afee79b35c2e8f88ecf0e4b3bcf0727", "exitCode": 0, "finishedAt": "2026-05-11T11:36:48Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/devfile-sample-python-basic\",\"type\":1},{\"key\":\"commit\",\"value\":\"2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778499379\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"2cfcb9d\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/devfile-sample-python-basic\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:36:48Z" }, "terminationReason": "Completed" }, { "container": "step-symlink-check", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "provenance": {}, "terminated": { "containerID": "cri-o://0ac59ee140a797fd48838d216e0d328fd1fa3898300d2928b56df93a7b577625", "exitCode": 0, "finishedAt": "2026-05-11T11:36:49Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/devfile-sample-python-basic\",\"type\":1},{\"key\":\"commit\",\"value\":\"2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778499379\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"2cfcb9d\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/devfile-sample-python-basic\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:36:49Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.", "params": [ { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "source", "description": "Subdirectory inside the `output` Workspace to clone the repo into.", "name": "subdirectory", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Clean out the contents of the destination directory if it already exists before cloning.", "name": "deleteExisting", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" }, { "default": "", "description": "Deprecated. Has no effect. Will be removed in the future.", "name": "gitInitImage", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" } ], "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "PARAM_URL", "value": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic" }, { "name": "PARAM_REVISION", "value": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "PARAM_REFSPEC" }, { "name": "PARAM_SUBMODULES", "value": "true" }, { "name": "PARAM_SUBMODULE_PATHS" }, { "name": "PARAM_DEPTH", "value": "1" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "7" }, { "name": "PARAM_SSL_VERIFY", "value": "true" }, { "name": "PARAM_SUBDIRECTORY", "value": "source" }, { "name": "PARAM_DELETE_EXISTING", "value": "true" }, { "name": "PARAM_HTTP_PROXY" }, { "name": "PARAM_HTTPS_PROXY" }, { "name": "PARAM_NO_PROXY" }, { "name": "PARAM_VERBOSE", "value": "false" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES" }, { "name": "PARAM_USER_HOME", "value": "/tekton/home" }, { "name": "PARAM_FETCH_TAGS", "value": "false" }, { "name": "PARAM_GIT_INIT_IMAGE" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "false" }, { "name": "PARAM_TARGET_BRANCH", "value": "main" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL" }, { "name": "PARAM_MERGE_SOURCE_DEPTH" }, { "name": "WORKSPACE_OUTPUT_PATH", "value": "/workspace/output" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "false" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "true" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH", "value": "/workspace/basic-auth" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n # Delete any existing contents of the repo directory if it exists.\n #\n # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n # or the root of a mounted volume.\n if [ -d \"${CHECKOUT_DIR}\" ] ; then\n # Delete non-hidden files and directories\n rm -rf \"${CHECKOUT_DIR:?}\"/*\n # Delete files and directories starting with . but excluding ..\n rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n # Delete files and directories starting with .. plus any other character\n rm -rf \"${CHECKOUT_DIR}\"/..?*\n fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit 1\nfi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "true" }, { "name": "PARAM_SUBDIRECTORY", "value": "source" }, { "name": "WORKSPACE_OUTPUT_PATH", "value": "/workspace/output" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink\n do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ], "workspaces": [ { "description": "The git repo will be cloned onto the volume backing this Workspace.", "name": "output" }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true }, { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/commit_sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/pull_request_number": "17932", "build.appstudio.redhat.com/target_branch": "base-rqwphu", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-rqwphu", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vnfmfm", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-tysh-on-pull-request-qnq59", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-rqwphu\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-tysh", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0/records/cb6fa769-962c-4820-a7b4-3dc6959e29ed", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"eventType\":\"pull_request\",\"pull_request-id\":17932}", "results.tekton.dev/result": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-cbe2bf1d305616ad79b6eca3050d39ba-3a2de8aba5f5f7fb-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-tysh" }, "creationTimestamp": "2026-05-11T11:36:33Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-tysh", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRun": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRunUID": "51c2e613-7606-4a23-9e56-3207357407f0", "tekton.dev/pipelineTask": "init", "tekton.dev/task": "init", "test.appstudio.openshift.io/pr-group-sha": "9c95f35c5b734d70efd44adee99d3f6e912938a10e4b7e02acafdcbba95ebf" }, "name": "test-comp-tysh-on-pull-request-qnq59-init", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-tysh-on-pull-request-qnq59", "uid": "51c2e613-7606-4a23-9e56-3207357407f0" } ], "resourceVersion": "76247", "uid": "cb6fa769-962c-4820-a7b4-3dc6959e29ed" }, "spec": { "params": [ { "name": "enable-cache-proxy", "value": "false" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-tysh", "taskRef": { "params": [ { "name": "name", "value": "init" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:36:37Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:36:37Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-tysh-on-pull-request-qnq59-init-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08" }, "entryPoint": "init", "uri": "quay.io/konflux-ci/tekton-catalog/task-init" } }, "results": [ { "name": "http-proxy", "type": "string", "value": "" }, { "name": "no-proxy", "type": "string", "value": "" } ], "spanContext": { "traceparent": "00-cbe2bf1d305616ad79b6eca3050d39ba-3a2de8aba5f5f7fb-01" }, "startTime": "2026-05-11T11:36:33Z", "steps": [ { "container": "step-init", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "init", "provenance": {}, "terminated": { "containerID": "cri-o://6c16f6707875b6d679eee6bab460476de19b9e48c7ad4f6ce17dd1d29cbc6d54", "exitCode": 0, "finishedAt": "2026-05-11T11:36:36Z", "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:36:36Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.", "params": [ { "default": "false", "description": "Enable cache proxy configuration", "name": "enable-cache-proxy", "type": "string" } ], "results": [ { "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)", "name": "http-proxy", "type": "string" }, { "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)", "name": "no-proxy", "type": "string" } ], "steps": [ { "args": [ "--enable", "false" ], "command": [ "konflux-build-cli", "config", "cache-proxy" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" }, { "name": "DEFAULT_HTTP_PROXY", "value": "squid.caching.svc.cluster.local:3128" }, { "name": "DEFAULT_NO_PROXY", "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai" }, { "name": "HTTP_PROXY_RESULTS_PATH", "value": "/tekton/results/http-proxy" }, { "name": "NO_PROXY_RESULTS_PATH", "value": "/tekton/results/no-proxy" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "init" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/commit_sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/pull_request_number": "17932", "build.appstudio.redhat.com/target_branch": "base-rqwphu", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5105b11d67", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-rqwphu", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vnfmfm", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-tysh-on-pull-request-qnq59", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-rqwphu\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-tysh", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0/records/05c595de-5212-492c-b3e1-658c154ebd32", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"eventType\":\"pull_request\",\"pull_request-id\":17932}", "results.tekton.dev/result": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-cbe2bf1d305616ad79b6eca3050d39ba-7ed337ac7156113a-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-tysh" }, "creationTimestamp": "2026-05-11T11:36:51Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-tysh", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRun": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRunUID": "51c2e613-7606-4a23-9e56-3207357407f0", "tekton.dev/pipelineTask": "prefetch-dependencies", "tekton.dev/task": "prefetch-dependencies", "test.appstudio.openshift.io/pr-group-sha": "9c95f35c5b734d70efd44adee99d3f6e912938a10e4b7e02acafdcbba95ebf" }, "name": "test-comp-tysh-on-pull-request-qnq59-prefetch-dependencies", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-tysh-on-pull-request-qnq59", "uid": "51c2e613-7606-4a23-9e56-3207357407f0" } ], "resourceVersion": "77216", "uid": "05c595de-5212-492c-b3e1-658c154ebd32" }, "spec": { "params": [ { "name": "input", "value": "" }, { "name": "enable-package-registry-proxy", "value": "true" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-tysh", "taskRef": { "params": [ { "name": "name", "value": "prefetch-dependencies" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:214dcd12ea5b30c431dc0a1fae483422c6d397e453f9e832489e93a47853c58f" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "source", "persistentVolumeClaim": { "claimName": "pvc-3e54627ae0" } }, { "name": "git-basic-auth", "secret": { "secretName": "pac-gitauth-vnfmfm" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:37:00Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:37:00Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-tysh-on-pull-request-qnq59-prefetch-dependencies-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "214dcd12ea5b30c431dc0a1fae483422c6d397e453f9e832489e93a47853c58f" }, "entryPoint": "prefetch-dependencies", "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies" } }, "spanContext": { "traceparent": "00-cbe2bf1d305616ad79b6eca3050d39ba-7ed337ac7156113a-01" }, "startTime": "2026-05-11T11:36:51Z", "steps": [ { "container": "step-prefetch-dependencies", "imageID": "quay.io/konflux-ci/hermeto@sha256:4899755ffd1574547102a58469aea916822c7fd7825cbec8e477e1b57668a6d7", "name": "prefetch-dependencies", "provenance": {}, "terminated": { "containerID": "cri-o://3dd95508836d7b932ecfdadcc7cb89ac843f23f8b7dd0c06353b555e9e05957d", "exitCode": 0, "finishedAt": "2026-05-11T11:36:59Z", "reason": "Completed", "startedAt": "2026-05-11T11:36:56Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Task that prefetches project dependencies for hermetic build.", "params": [ { "description": "Configures project packages that will have their dependencies prefetched.", "name": "input", "type": "string" }, { "default": "debug", "description": "Set the logging level (debug, info, warn, error, fatal).", "name": "log-level", "type": "string" }, { "default": "", "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n", "name": "config-file-content", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.", "name": "sbom-type", "type": "string" }, { "default": "strict", "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).", "name": "mode", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "service-ca.crt", "description": "The name of the key in the ConfigMap that contains the service CA bundle data. Used to verify TLS connections to in-cluster services such as the package registry proxy.", "name": "SERVICE_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "openshift-service-ca.crt", "description": "The name of the ConfigMap to read service CA bundle data from. Used to verify TLS connections to in-cluster services such as the package registry proxy.", "name": "SERVICE_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "true", "description": "Use the package registry proxy when prefetching dependencies", "name": "enable-package-registry-proxy", "type": "string" }, { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "1", "memory": "3Gi" }, "requests": { "cpu": "1", "memory": "3Gi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "debug" }, { "name": "KBC_PD_INPUT" }, { "name": "KBC_PD_SOURCE_DIR", "value": "/workspace/source/source" }, { "name": "KBC_PD_OUTPUT_DIR", "value": "/workspace/source/cachi2/output" }, { "name": "KBC_PD_SBOM_FORMAT", "value": "spdx" }, { "name": "KBC_PD_MODE", "value": "strict" }, { "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT", "value": "/cachi2/output" }, { "name": "KBC_PD_ENV_FILES", "value": "/workspace/source/cachi2/cachi2.env /workspace/source/cachi2/prefetch.env /workspace/source/cachi2/prefetch-env.json" }, { "name": "KBC_PD_GIT_AUTH_DIRECTORY", "value": "/workspace/git-basic-auth" }, { "name": "WORKSPACE_NETRC_PATH" }, { "name": "CONFIG_FILE_CONTENT" }, { "name": "KBC_PD_ENABLE_PACKAGE_REGISTRY_PROXY", "value": "true" } ], "image": "quay.io/konflux-ci/hermeto:0.51.0@sha256:4899755ffd1574547102a58469aea916822c7fd7825cbec8e477e1b57668a6d7", "name": "prefetch-dependencies", "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nSERVICE_CA_BUNDLE_PATH=/mnt/service-ca/ca-bundle.crt\nUPDATE_CA_TRUST=false\n\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n echo \"Using mounted CA bundle: $CA_BUNDLE_PATH\"\n cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n UPDATE_CA_TRUST=true\nfi\n\nif [ -f \"$SERVICE_CA_BUNDLE_PATH\" ]; then\n echo \"Using mounted service CA bundle: $SERVICE_CA_BUNDLE_PATH\"\n cp -vf \"$SERVICE_CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/service-ca.crt\n UPDATE_CA_TRUST=true\nfi\n\nif [ \"$UPDATE_CA_TRUST\" = \"true\" ]; then\n update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n export KBC_PD_RHSM_ORG=/activation-key/org\n export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n", "volumeMounts": [ { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/mnt/config", "name": "config" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/service-ca", "name": "service-ca", "readOnly": true } ] } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "configMap": { "items": [ { "key": "service-ca.crt", "path": "ca-bundle.crt" } ], "name": "openshift-service-ca.crt", "optional": true }, "name": "service-ca" }, { "emptyDir": {}, "name": "config" } ], "workspaces": [ { "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well", "name": "source" }, { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n", "name": "git-basic-auth", "optional": true }, { "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n", "name": "netrc", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/commit_sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/pull_request_number": "17932", "build.appstudio.redhat.com/target_branch": "base-rqwphu", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5105b11d67", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-rqwphu", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vnfmfm", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-tysh-on-pull-request-qnq59", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-rqwphu\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-tysh", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0/records/49283829-edde-4726-85a6-69626118ed85", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"eventType\":\"pull_request\",\"pull_request-id\":17932}", "results.tekton.dev/result": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, appstudio", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-cbe2bf1d305616ad79b6eca3050d39ba-eadf6f3aa4f987eb-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-tysh" }, "creationTimestamp": "2026-05-11T11:37:48Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-tysh", "build.appstudio.redhat.com/build_type": "docker", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRun": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRunUID": "51c2e613-7606-4a23-9e56-3207357407f0", "tekton.dev/pipelineTask": "push-dockerfile", "tekton.dev/task": "push-dockerfile", "test.appstudio.openshift.io/pr-group-sha": "9c95f35c5b734d70efd44adee99d3f6e912938a10e4b7e02acafdcbba95ebf" }, "name": "test-comp-tysh-on-pull-request-qnq59-push-dockerfile", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-tysh-on-pull-request-qnq59", "uid": "51c2e613-7606-4a23-9e56-3207357407f0" } ], "resourceVersion": "79582", "uid": "49283829-edde-4726-85a6-69626118ed85" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "IMAGE_DIGEST", "value": "sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" }, { "name": "DOCKERFILE", "value": "docker/Dockerfile" }, { "name": "CONTEXT", "value": "." } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-tysh", "taskRef": { "params": [ { "name": "name", "value": "push-dockerfile" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:359199272c9a403275162a6741d098d7987334232630b59093d781c743fa99e7" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "workspace", "persistentVolumeClaim": { "claimName": "pvc-3e54627ae0" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:38:02Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:38:02Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-tysh-on-pull-request-qnq59-push-dockerfile-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "359199272c9a403275162a6741d098d7987334232630b59093d781c743fa99e7" }, "entryPoint": "push-dockerfile", "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile" } }, "results": [ { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh@sha256:3db7299e159a1dcb9ffd2c3301a4cab67eb007dbbfe5fedfa602c2cd324c5f95" } ], "spanContext": { "traceparent": "00-cbe2bf1d305616ad79b6eca3050d39ba-eadf6f3aa4f987eb-01" }, "startTime": "2026-05-11T11:37:48Z", "steps": [ { "container": "step-push", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "push", "provenance": {}, "terminated": { "containerID": "cri-o://2ec829093512f8a3aa3df6248c128f6112e38fcac4706814c91f25d3a8e84f87", "exitCode": 0, "finishedAt": "2026-05-11T11:38:01Z", "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh@sha256:3db7299e159a1dcb9ffd2c3301a4cab67eb007dbbfe5fedfa602c2cd324c5f95\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:01Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.", "params": [ { "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.", "name": "IMAGE", "type": "string" }, { "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.", "name": "IMAGE_DIGEST", "type": "string" }, { "default": "./Dockerfile", "description": "Path to the Dockerfile.", "name": "DOCKERFILE", "type": "string" }, { "default": ".", "description": "Path to the directory to use as context.", "name": "CONTEXT", "type": "string" }, { "default": ".dockerfile", "description": "Suffix of the Dockerfile image tag.", "name": "TAG_SUFFIX", "type": "string" }, { "default": "application/vnd.konflux.dockerfile", "description": "Artifact type of the Dockerfile image.", "name": "ARTIFACT_TYPE", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "info", "description": "Log level to use in the task. See golang logrus docs for available levels.", "name": "LOG_LEVEL", "type": "string" } ], "results": [ { "description": "Digest-pinned image reference to the Dockerfile image.", "name": "IMAGE_REF", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "args": [ "--source", "source", "--context", ".", "--containerfile", "docker/Dockerfile", "--image-url", "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "--image-digest", "sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195", "--artifact-type", "application/vnd.konflux.dockerfile", "--tag-suffix", ".dockerfile", "--result-path-image-ref", "/tekton/results/IMAGE_REF", "--alternative-filename", "Dockerfile" ], "command": [ "konflux-build-cli", "image", "push-containerfile" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "push", "workingDir": "/workspace/workspace" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ], "workspaces": [ { "description": "Workspace containing the source code from where the Dockerfile is discovered.", "name": "workspace" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/commit_sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/pull_request_number": "17932", "build.appstudio.redhat.com/target_branch": "base-rqwphu", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-rqwphu", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vnfmfm", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-tysh-on-pull-request-qnq59", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-rqwphu\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-tysh", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0/records/45434d57-b4bc-4e5b-86d6-2f9b6a19f45b", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"eventType\":\"pull_request\",\"pull_request-id\":17932}", "results.tekton.dev/result": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0", "results.tekton.dev/stored": "true", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-cbe2bf1d305616ad79b6eca3050d39ba-6f251a7b37562e01-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-tysh" }, "creationTimestamp": "2026-05-11T11:37:48Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-tysh", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRun": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRunUID": "51c2e613-7606-4a23-9e56-3207357407f0", "tekton.dev/pipelineTask": "rpms-signature-scan", "tekton.dev/task": "rpms-signature-scan", "test.appstudio.openshift.io/pr-group-sha": "9c95f35c5b734d70efd44adee99d3f6e912938a10e4b7e02acafdcbba95ebf" }, "name": "test-comp-tysh-on-pull-request-qnq59-rpms-signature-scan", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-tysh-on-pull-request-qnq59", "uid": "51c2e613-7606-4a23-9e56-3207357407f0" } ], "resourceVersion": "79642", "uid": "45434d57-b4bc-4e5b-86d6-2f9b6a19f45b" }, "spec": { "params": [ { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "image-digest", "value": "sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-tysh", "taskRef": { "params": [ { "name": "name", "value": "rpms-signature-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:cfdb76c67f27bc498132431f5a24fbc17dac1981d6f6e3da5cf5964ac5abdd20" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:38:03Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:38:03Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-tysh-on-pull-request-qnq59-rpms-signature-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "cfdb76c67f27bc498132431f5a24fbc17dac1981d6f6e3da5cf5964ac5abdd20" }, "entryPoint": "rpms-signature-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\", \"digests\": [\"sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\"]}}\n" }, { "name": "RPMS_DATA", "type": "string", "value": "{\"keys\": {\"unsigned\": 0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:38:02+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-cbe2bf1d305616ad79b6eca3050d39ba-6f251a7b37562e01-01" }, "startTime": "2026-05-11T11:37:48Z", "steps": [ { "container": "step-rpms-signature-scan", "imageID": "quay.io/konflux-ci/tools@sha256:4bb1feaad4cb4735f8a5387e32691dfc1fe6097d28d56c23895866f88b211e28", "name": "rpms-signature-scan", "provenance": {}, "terminated": { "containerID": "cri-o://fd62d545bb67453cb6807b9b6552ea5b3774d05966468d098ce2803d67a4bd35", "exitCode": 0, "finishedAt": "2026-05-11T11:38:02Z", "reason": "Completed", "startedAt": "2026-05-11T11:37:53Z" }, "terminationReason": "Completed" }, { "container": "step-output-results", "imageID": "quay.io/konflux-ci/konflux-test@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e", "name": "output-results", "provenance": {}, "terminated": { "containerID": "cri-o://c1f40e12810435ef144c579ba4d39e07ccffe024fdd236f3906822756a9ddbe2", "exitCode": 0, "finishedAt": "2026-05-11T11:38:03Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\\\", \\\"digests\\\": [\\\"sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:38:02+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:02Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans RPMs in an image and provide information about RPMs signatures.", "params": [ { "description": "Image URL", "name": "image-url", "type": "string" }, { "description": "Image digest to scan", "name": "image-digest", "type": "string" }, { "default": "/tmp", "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n", "name": "workdir", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Information about signed and unsigned RPMs", "name": "RPMS_DATA", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "200m", "memory": "256Mi" }, "requests": { "cpu": "200m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "IMAGE_DIGEST", "value": "sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" }, { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/tools@sha256:b78a949c4a986724ae8e768ca315fc35bae5e0553de5cd2edd468d6a7d4b7e0f", "name": "rpms-signature-scan", "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n --image-url \"${IMAGE_URL}\" \\\n --image-digest \"${IMAGE_DIGEST}\" \\\n --workdir \"${WORKDIR}\" \\\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "50m", "memory": "32Mi" }, "requests": { "cpu": "50m", "memory": "32Mi" } }, "env": [ { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.53@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e", "name": "output-results", "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" } ] } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/commit_sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/pull_request_number": "17932", "build.appstudio.redhat.com/target_branch": "base-rqwphu", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5105b11d67", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-rqwphu", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vnfmfm", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-tysh-on-pull-request-qnq59", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-rqwphu\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-tysh", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0/records/80dd379c-e14a-4420-ab31-f68f4ed2a073", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"eventType\":\"pull_request\",\"pull_request-id\":17932}", "results.tekton.dev/result": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-cbe2bf1d305616ad79b6eca3050d39ba-5c9fb13c06677b82-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-tysh" }, "creationTimestamp": "2026-05-11T11:37:47Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-tysh", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRun": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRunUID": "51c2e613-7606-4a23-9e56-3207357407f0", "tekton.dev/pipelineTask": "sast-shell-check", "tekton.dev/task": "sast-shell-check", "test.appstudio.openshift.io/pr-group-sha": "9c95f35c5b734d70efd44adee99d3f6e912938a10e4b7e02acafdcbba95ebf" }, "name": "test-comp-tysh-on-pull-request-qnq59-sast-shell-check", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-tysh-on-pull-request-qnq59", "uid": "51c2e613-7606-4a23-9e56-3207357407f0" } ], "resourceVersion": "80247", "uid": "80dd379c-e14a-4420-ab31-f68f4ed2a073" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "TARGET_DIRS", "value": "." } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-tysh", "taskRef": { "params": [ { "name": "name", "value": "sast-shell-check" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:2cd09c97b9f0fae9c7bcd26d956f77221fb7137ee8b2ef17e7351b5e6f1eb89e" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "workspace", "persistentVolumeClaim": { "claimName": "pvc-3e54627ae0" } } ] }, "status": { "completionTime": "2026-05-11T11:38:32Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:38:32Z", "message": "the step \"sast-shell-check\" in TaskRun \"test-comp-tysh-on-pull-request-qnq59-sast-shell-check\" failed to pull the image \"\". The pod errored with the message: \"Back-off pulling image \"quay.io/konflux-ci/konflux-test:v1.4.51@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a\".\"", "reason": "TaskRunImagePullFailed", "status": "False", "type": "Succeeded" } ], "podName": "test-comp-tysh-on-pull-request-qnq59-sast-shell-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "2cd09c97b9f0fae9c7bcd26d956f77221fb7137ee8b2ef17e7351b5e6f1eb89e" }, "entryPoint": "sast-shell-check", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check" } }, "spanContext": { "traceparent": "00-cbe2bf1d305616ad79b6eca3050d39ba-5c9fb13c06677b82-01" }, "startTime": "2026-05-11T11:37:48Z", "steps": [ { "container": "step-sast-shell-check", "name": "sast-shell-check", "provenance": {}, "terminated": { "exitCode": 1, "finishedAt": "2026-05-11T11:38:32Z", "message": "Step sast-shell-check terminated as pod test-comp-tysh-on-pull-request-qnq59-sast-shell-check-pod is terminated", "reason": "TaskRunImagePullFailed", "startedAt": "2026-05-11T11:37:47Z" }, "terminationReason": "TaskRunImagePullFailed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:5da32f9d64fdb2a960792e282f739e9d398a69e4c43d7183323ea8a13b845c73", "name": "upload", "provenance": {}, "terminated": { "exitCode": 1, "finishedAt": "2026-05-11T11:38:32Z", "message": "Step upload terminated as pod test-comp-tysh-on-pull-request-qnq59-sast-shell-check-pod is terminated", "reason": "TaskRunImagePullFailed", "startedAt": "2026-05-11T11:38:30Z" }, "terminationReason": "TaskRunImagePullFailed" } ], "taskSpec": { "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.", "params": [ { "default": "", "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "Image digest to report findings for.", "name": "image-digest", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "default": "true", "description": "Whether to include important findings only", "name": "IMP_FINDINGS_ONLY", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "8", "memory": "4Gi" }, "requests": { "cpu": "1", "memory": "4Gi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "IMP_FINDINGS_ONLY", "value": "true" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.51@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "sast-shell-check", "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n resolved_path=$(realpath -m \"$potential_path\")\n\n # ensure resolved path is still within SOURCE_CODE_DIR\n if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n ALL_TARGETS+=(\"$resolved_path\")\n else\n echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n exit 1\n fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n read -r quota period \u003c /sys/fs/cgroup/cpu.max\n if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n export SC_JOBS=$(((quota + period - 1) / period))\n echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n --mode=json\n --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n # predefined list of shellcheck important findings\n CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n CSGREP_OPTS+=(\n --event=\"$CSGREP_EVENT_FILTER\"\n )\nelse\n CSGREP_OPTS+=(\n --event=\"error|warning\"\n )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n echo \"Error occurred while running 'run-shellcheck.sh'\"\n note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n else\n mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/workspace/workspace/hacbs/sast-shell-check" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "IMAGE_DIGEST", "value": "sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:6a46c5960cbcb81d9f6b0206163102d6f2e9e649ec231136f9ee33c02d3c1ad0", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n echo 'No image-url or image-digest param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n # Determine the media type based on the file extension\n if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n MEDIA_TYPE=\"application/json\"\n else\n MEDIA_TYPE=\"application/sarif+json\"\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n then\n echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n exit 1\n fi\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/workspace/workspace/hacbs/sast-shell-check" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ], "workspaces": [ { "name": "workspace" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/commit_sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/pull_request_number": "17932", "build.appstudio.redhat.com/target_branch": "base-rqwphu", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5105b11d67", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-rqwphu", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vnfmfm", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-tysh-on-pull-request-qnq59", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-rqwphu\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-tysh", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0/records/a2486a73-4e96-4cb1-9cba-ae9205e4a33a", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"eventType\":\"pull_request\",\"pull_request-id\":17932}", "results.tekton.dev/result": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-cbe2bf1d305616ad79b6eca3050d39ba-49217406c4c35d67-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-tysh" }, "creationTimestamp": "2026-05-11T11:37:47Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-tysh", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRun": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRunUID": "51c2e613-7606-4a23-9e56-3207357407f0", "tekton.dev/pipelineTask": "sast-snyk-check", "tekton.dev/task": "sast-snyk-check", "test.appstudio.openshift.io/pr-group-sha": "9c95f35c5b734d70efd44adee99d3f6e912938a10e4b7e02acafdcbba95ebf" }, "name": "test-comp-tysh-on-pull-request-qnq59-sast-snyk-check", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-tysh-on-pull-request-qnq59", "uid": "51c2e613-7606-4a23-9e56-3207357407f0" } ], "resourceVersion": "79670", "uid": "a2486a73-4e96-4cb1-9cba-ae9205e4a33a" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "TARGET_DIRS", "value": "." } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-tysh", "taskRef": { "params": [ { "name": "name", "value": "sast-snyk-check" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:566753ca880764361b11f2c67d8e62dda94f829b11cb48e4716f27568216a481" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "workspace", "persistentVolumeClaim": { "claimName": "pvc-3e54627ae0" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:38:04Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:38:04Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-tysh-on-pull-request-qnq59-sast-snyk-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "566753ca880764361b11f2c67d8e62dda94f829b11cb48e4716f27568216a481" }, "entryPoint": "sast-snyk-check", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-05-11T11:38:03+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-cbe2bf1d305616ad79b6eca3050d39ba-49217406c4c35d67-01" }, "startTime": "2026-05-11T11:37:47Z", "steps": [ { "container": "step-sast-snyk-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "sast-snyk-check", "provenance": {}, "terminated": { "containerID": "cri-o://e670418630cd7a18dd7ea278ca1f9c4105c6cb505b6a710fea9e3e833df57165", "exitCode": 0, "finishedAt": "2026-05-11T11:38:03Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-05-11T11:38:03+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:02Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:6504e165b4e1411ca55069091a989fd27722a64ee0e3ec9fa7be5cf31d8b595f", "name": "upload", "provenance": {}, "terminated": { "containerID": "cri-o://dc423ccf130b4f8b4220dc83694f604febc049d7b7e86a1ab09c2a81a3bb0495", "exitCode": 0, "finishedAt": "2026-05-11T11:38:03Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-05-11T11:38:03+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:03Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.", "params": [ { "default": "snyk-secret", "description": "Name of secret which contains Snyk token.", "name": "SNYK_SECRET", "type": "string" }, { "default": "", "description": "Append arguments.", "name": "ARGS", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "description": "Digest of the image to scan.", "name": "image-digest", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "true", "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.", "name": "IMP_FINDINGS_ONLY", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Write excluded records in file. Useful for auditing (defaults to false).", "name": "RECORD_EXCLUDED", "type": "string" }, { "default": "", "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.", "name": "IGNORE_FILE_PATHS", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "memory": "6Gi" }, "requests": { "cpu": "1", "memory": "6Gi" } }, "env": [ { "name": "SNYK_SECRET", "value": "snyk-secret" }, { "name": "ARGS" }, { "name": "IGNORE_FILE_PATHS" }, { "name": "IMP_FINDINGS_ONLY", "value": "true" }, { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } }, { "name": "TARGET_DIRS", "value": "." } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-snyk-check", "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n # SNYK token is provided\n SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n export SNYK_TOKEN\nelse\n # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n # shellcheck disable=SC2034\n to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n# Wrapper around snyk code test that maps valid non-zero exit codes (1, 3)\n# to 0 so the existing retry function only retries on exit code 2 (error).\n# Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n# The real exit code is always preserved in SNYK_EXIT_CODE.\n# Error codes (2+) always override, valid codes (0, 1, 3) only if no previous error.\n_snyk_code_test() {\n snyk code test \"$@\" 1\u003e\u00262\u003e\u003e stdout.txt\n local ec=$?\n if [[ \"$ec\" -ne 0 ]] \u0026\u0026 [[ \"$ec\" -ne 1 ]] \u0026\u0026 [[ \"$ec\" -ne 3 ]]; then\n SNYK_EXIT_CODE=$ec\n fi\n if [[ \"$ec\" -eq 1 ]] || [[ \"$ec\" -eq 3 ]]; then\n return 0\n fi\n return \"$ec\"\n}\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n resolved_path=$(realpath -m \"$potential_path\")\n\n # Ensure resolved path is still within SOURCE_CODE_DIR\n if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n exit 1\n fi\n\n # Ensure directory exists\n if [ ! -d \"$resolved_path\" ]; then\n echo \"Warning: Directory $resolved_path does not exist, skipping\"\n continue\n fi\n\n echo \"INFO: Scanning directory: $resolved_path\"\n # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n # shellcheck disable=SC2086\n RETRY_INTERVAL=30 retry _snyk_code_test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\"\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n echo \"WARN: No JSON output files were generated by snyk scan\"\n # Get snyk version for proper SARIF metadata\n SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n # Create a valid minimal SARIF structure using jq\n # Note: coverage array is required even when empty because downstream jq commands expect it\n jq -n --arg version \"$SNYK_VERSION\" '{\n \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n \"version\": \"2.1.0\",\n \"runs\": [{\n \"tool\": {\n \"driver\": {\n \"name\": \"snyk\",\n \"version\": $version,\n \"informationUri\": \"https://snyk.io\"\n }\n },\n \"results\": [],\n \"properties\": {\n \"coverage\": []\n }\n }]\n }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n fi\n\n # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n (cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n | csgrep --mode=json --strip-path-prefix=\"source/\" \\\n \u003e sast_snyk_check_out_all_findings.json\n\n echo \"INFO: Initial results:\"\n csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n fi\n PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n # create the KFP clone directory regardless\n KFP_DIR=\"known-false-positives\"\n KFP_CLONED=\"0\"\n mkdir \"${KFP_DIR}\"\n\n # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n if [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\n fi\n\n if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n else\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n CMD=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n CMD+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n set +e\n \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n else\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\n echo \"INFO: Results after filtering:\"\n (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n fi\n\n # Generation of scan stats\n\n total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n # We make sure the values are 0 if no supported/total files are found\n if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n total_files=0\n fi\n\n if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n supported_files=0\n fi\n\n coverage_ratio=0\n if (( total_files \u003e 0 )); then\n coverage_ratio=$((supported_files * 100 / total_files))\n fi\n\n # embed stats in results file and convert to SARIF\n csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n --set-scan-prop snyk-scanned-files-success:\"${supported_files}\" \\\n --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n filtered_sast_snyk_check_out.json \u003e sast_snyk_check_out.sarif\n\n # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n # - \"error\" → importance level 1\n # - \"warning\" (or missing level) → importance level 0\n RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n else\n # Use all findings for Tekton task result\n RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n fi\n\n TEST_OUTPUT=\n parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\" || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n echo \"sast-snyk-check test failed because of the following issues:\"\n cat stdout.txt\n note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/etc/secrets", "name": "snyk-secret", "readOnly": true }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/workspace/workspace/hacbs/sast-snyk-check" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "IMAGE_DIGEST", "value": "sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n echo 'No image-url provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n MEDIA_TYPE=application/json\n else\n MEDIA_TYPE=application/sarif+json\n fi\n echo \"Selecting auth\"\n select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n then\n echo \"Failed to attach to ${IMAGE_URL}\"\n fi\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/workspace/workspace/hacbs/sast-snyk-check" } ], "volumes": [ { "name": "snyk-secret", "secret": { "optional": true, "secretName": "snyk-secret" } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ], "workspaces": [ { "name": "workspace" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/commit_sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "build.appstudio.redhat.com/pull_request_number": "17932", "build.appstudio.redhat.com/target_branch": "base-rqwphu", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5105b11d67", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-rqwphu", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vnfmfm", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-tysh-on-pull-request-qnq59", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-rqwphu\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/sha-title": "e2e test commit message", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-tysh", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0/records/6a83a777-e742-4c8c-9eb0-7a5926cd1147", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"2cfcb9db25316c7821d69c2f2f4c2ab09263eddf\",\"eventType\":\"pull_request\",\"pull_request-id\":17932}", "results.tekton.dev/result": "build-e2e-tkrv/results/51c2e613-7606-4a23-9e56-3207357407f0", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-cbe2bf1d305616ad79b6eca3050d39ba-bfa77fff1bf368e9-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-tysh" }, "creationTimestamp": "2026-05-11T11:37:48Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-tysh", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75344475405", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-tysh-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17932", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "2cfcb9db25316c7821d69c2f2f4c2ab09263eddf", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRun": "test-comp-tysh-on-pull-request-qnq59", "tekton.dev/pipelineRunUID": "51c2e613-7606-4a23-9e56-3207357407f0", "tekton.dev/pipelineTask": "sast-unicode-check", "tekton.dev/task": "sast-unicode-check", "test.appstudio.openshift.io/pr-group-sha": "9c95f35c5b734d70efd44adee99d3f6e912938a10e4b7e02acafdcbba95ebf" }, "name": "test-comp-tysh-on-pull-request-qnq59-sast-unicode-check", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-tysh-on-pull-request-qnq59", "uid": "51c2e613-7606-4a23-9e56-3207357407f0" } ], "resourceVersion": "79690", "uid": "6a83a777-e742-4c8c-9eb0-7a5926cd1147" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "TARGET_DIRS", "value": "." } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-tysh", "taskRef": { "params": [ { "name": "name", "value": "sast-unicode-check" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:c162d9d0cd1e4c64dfc340577ba8e6bf55ebd1bb859fe3157217de9b4473c640" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "workspace", "persistentVolumeClaim": { "claimName": "pvc-3e54627ae0" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:38:05Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:38:05Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-tysh-on-pull-request-qnq59-sast-unicode-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "c162d9d0cd1e4c64dfc340577ba8e6bf55ebd1bb859fe3157217de9b4473c640" }, "entryPoint": "sast-unicode-check", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:38:03+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-cbe2bf1d305616ad79b6eca3050d39ba-bfa77fff1bf368e9-01" }, "startTime": "2026-05-11T11:37:48Z", "steps": [ { "container": "step-sast-unicode-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "sast-unicode-check", "provenance": {}, "terminated": { "containerID": "cri-o://38c927a9e4e895221c9cf684d2b96ff44c20ae166b6744df5d769860cf9899c0", "exitCode": 0, "finishedAt": "2026-05-11T11:38:03Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:38:03+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:02Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:6504e165b4e1411ca55069091a989fd27722a64ee0e3ec9fa7be5cf31d8b595f", "name": "upload", "provenance": {}, "terminated": { "containerID": "cri-o://c1ea573cba47ac074860344960f58e45ca9fb9c95f8c3ee9e3f1039547efbcf8", "exitCode": 0, "finishedAt": "2026-05-11T11:38:04Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:38:03+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:38:03Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans source code for non-printable unicode characters in all text files.", "params": [ { "description": "Image digest used for ORAS upload.", "name": "image-digest", "type": "string" }, { "description": "Image URL used for ORAS upload.", "name": "image-url", "type": "string" }, { "default": "-p bidi -v -d -t", "description": "arguments for find-unicode-control command.", "name": "FIND_UNICODE_CONTROL_ARGS", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "cpu": "100m", "memory": "4Gi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "FIND_UNICODE_CONTROL_ARGS", "value": "-p bidi -v -d -t" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_CODE_DIR", "value": "/workspace/workspace" }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-unicode-check", "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nOLD_IFS=\"$IFS\"\nIFS=\",\"\nfor d in $TARGET_DIRS; do\n ALL_TARGETS+=(\"${SOURCE_CODE_DIR}/source/${d}\")\ndone\nIFS=\"$OLD_IFS\"\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${ALL_TARGETS[@]}\" \\\n \u003eraw_sast_unicode_check_out.txt \\\n 2\u003eraw_sast_unicode_check_out.log \\\n || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n echo \"Failed to run find-unicode-control command\" \u003e\u00262\n cat raw_sast_unicode_check_out.log\n note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n --mode=json\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"${SCAN_PROP}\"\n --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n cat processed_sast_unicode_check_out.err\n note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # Build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n # Append --record-excluded option if RECORD_EXCLUDED is true\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n else\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n note=\"Task sast-unicode-check success: No finding was detected\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s sast_unicode_check_out.sarif ]]; then\n note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n echo \"sast-unicode-check test failed because of the following issues:\"\n cat sast_unicode_check_out.json\n TEST_OUTPUT=\n parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif || true\n note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/workspace/workspace/hacbs/sast-unicode-check" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-tysh:on-pr-2cfcb9db25316c7821d69c2f2f4c2ab09263eddf" }, { "name": "IMAGE_DIGEST", "value": "sha256:6f57d783db46bb1491f264ede24048e4d0d91c2a0f711d1b890669dfd2f5a195" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n echo 'No image-url param provided. Skipping upload.'\n exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n MEDIA_TYPE=application/json\n else\n MEDIA_TYPE=application/sarif+json\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/workspace/workspace/hacbs/sast-unicode-check" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ], "workspaces": [ { "name": "workspace" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/commit_sha": "eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/pull_request_number": "17933", "build.appstudio.redhat.com/target_branch": "base-nodxgh", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-nodxgh", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-mkytum", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-uhww-on-pull-request-r266g", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-nodxgh\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-uhww", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-uhww", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa/records/98df5491-2512-4a12-82eb-74d7ecca704d", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"eda963b758b539b162a95f37d86f0199680d7d45\",\"eventType\":\"pull_request\",\"pull_request-id\":17933}", "results.tekton.dev/result": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "results.tekton.dev/stored": "true", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-016db769a7e9d2dde692c6510a9a4d08-d81f42c55e0b278c-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-uhww" }, "creationTimestamp": "2026-05-11T11:29:06Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-uhww", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRun": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRunUID": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks", "tekton.dev/task": "ecosystem-cert-preflight-checks", "test.appstudio.openshift.io/pr-group-sha": "544aed5c3d6ec0cad12073e9312457b53d6e23773decd8391e702c63ae1d69" }, "name": "test-comp-uhww-on-pull-request-86e7e76243b02961e8aac10ab4ce3229", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-uhww-on-pull-request-r266g", "uid": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa" } ], "resourceVersion": "65268", "uid": "98df5491-2512-4a12-82eb-74d7ecca704d" }, "spec": { "params": [ { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-uhww", "taskRef": { "params": [ { "name": "name", "value": "ecosystem-cert-preflight-checks" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:e2bcf1174a6dae9969b8f12e94babe2a5881bc77a509f10823b6a9eac6392850" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:30:40Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:30:40Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-uhww-on-pull-requefebdad9e4a5a3a798b55d431ac7c186-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "e2bcf1174a6dae9969b8f12e94babe2a5881bc77a509f10823b6a9eac6392850" }, "entryPoint": "ecosystem-cert-preflight-checks", "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks" } }, "results": [ { "name": "ARTIFACT_TYPE", "type": "string", "value": "application" }, { "name": "ARTIFACT_TYPE_SET_BY", "type": "string", "value": "introspection" }, { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45\", \"digests\": [\"sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\"]}}" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"ERROR\",\"timestamp\":\"1778499038\",\"note\":\"Task preflight is a ERROR: Refer to Tekton task logs for more information\",\"successes\":3,\"failures\":4,\"warnings\":0}" } ], "spanContext": { "traceparent": "00-016db769a7e9d2dde692c6510a9a4d08-d81f42c55e0b278c-01" }, "startTime": "2026-05-11T11:29:06Z", "steps": [ { "container": "step-introspect", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "introspect", "provenance": {}, "results": [ { "name": "artifact-type", "type": "string", "value": "application" }, { "name": "artifact-type-set-by", "type": "string", "value": "introspection" } ], "terminated": { "containerID": "cri-o://a34c98d439b8cf9187a00ebb1b5176d25a7355e2bba9304b5f41acdafaaebf54", "exitCode": 0, "finishedAt": "2026-05-11T11:30:27Z", "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]", "reason": "Completed", "startedAt": "2026-05-11T11:30:26Z" }, "terminationReason": "Completed" }, { "container": "step-generate-container-auth", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "generate-container-auth", "provenance": {}, "results": [ { "name": "auth-json-path", "type": "string", "value": "/auth/auth.json" } ], "terminated": { "containerID": "cri-o://475581016a47f1d7ec427121f3848358b92a1526332835f9fb7098ea4fcf486c", "exitCode": 0, "finishedAt": "2026-05-11T11:30:28Z", "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]", "reason": "Completed", "startedAt": "2026-05-11T11:30:28Z" }, "terminationReason": "Completed" }, { "container": "step-set-skip-for-bundles", "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:557d6789136c2fe8d64303d1524453f06040f548f4fcabe6404366751c575064", "name": "set-skip-for-bundles", "provenance": {}, "terminated": { "containerID": "cri-o://e5b0fb85db313e372d297e4713454ec96deb40322486b4c9dd05c0b25fa94a91", "exitCode": 0, "finishedAt": "2026-05-11T11:30:28Z", "reason": "Completed", "startedAt": "2026-05-11T11:30:28Z" }, "terminationReason": "Skipped" }, { "container": "step-app-check", "imageID": "quay.io/opdev/preflight@sha256:2f9816292f4dec166c03d913d7e8b9673f9313bc5220a5b82efb0923b81095b1", "name": "app-check", "provenance": {}, "terminated": { "containerID": "cri-o://351c59147ec6e5497ea14829275d218a51ce78d84f0130ccc97939a87e81d8c9", "exitCode": 0, "finishedAt": "2026-05-11T11:30:37Z", "reason": "Completed", "startedAt": "2026-05-11T11:30:28Z" }, "terminationReason": "Completed" }, { "container": "step-app-set-outcome", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "app-set-outcome", "provenance": {}, "results": [ { "name": "images-processed", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45\", \"digests\": [\"sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\"]}}" }, { "name": "test-output", "type": "string", "value": "{\"result\":\"ERROR\",\"timestamp\":\"1778499038\",\"note\":\"Task preflight is a ERROR: Refer to Tekton task logs for more information\",\"successes\":3,\"failures\":4,\"warnings\":0}" } ], "terminated": { "containerID": "cri-o://33691667a629262982f45f565fe4014d11e7df92f0293094a956538146343046", "exitCode": 0, "finishedAt": "2026-05-11T11:30:38Z", "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45\\\", \\\"digests\\\": [\\\"sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"ERROR\\\",\\\"timestamp\\\":\\\"1778499038\\\",\\\"note\\\":\\\"Task preflight is a ERROR: Refer to Tekton task logs for more information\\\",\\\"successes\\\":3,\\\"failures\\\":4,\\\"warnings\\\":0}\",\"type\":4}]", "reason": "Completed", "startedAt": "2026-05-11T11:30:38Z" }, "terminationReason": "Completed" }, { "container": "step-final-outcome", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "final-outcome", "provenance": {}, "results": [ { "name": "test-output", "type": "string", "value": "{\"result\":\"ERROR\",\"timestamp\":\"1778499038\",\"note\":\"Task preflight is a ERROR: Refer to Tekton task logs for more information\",\"successes\":3,\"failures\":4,\"warnings\":0}" } ], "terminated": { "containerID": "cri-o://5a35028dc2f2319968e206e49febf11749e4c01bb7486cfe51da9a6b4523828e", "exitCode": 0, "finishedAt": "2026-05-11T11:30:39Z", "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"ERROR\\\",\\\"timestamp\\\":\\\"1778499038\\\",\\\"note\\\":\\\"Task preflight is a ERROR: Refer to Tekton task logs for more information\\\",\\\"successes\\\":3,\\\"failures\\\":4,\\\"warnings\\\":0}\",\"type\":4}]", "reason": "Completed", "startedAt": "2026-05-11T11:30:39Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.", "params": [ { "description": "Image url to scan.", "name": "image-url", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "introspect", "description": "The type of artifact. Select from application, operatorbundle, or introspect.", "name": "artifact-type", "type": "string" }, { "default": "", "description": "The platform the image is built on.", "name": "platform", "type": "string" } ], "results": [ { "description": "Ecosystem checks pass or fail outcome.", "name": "TEST_OUTPUT", "type": "string", "value": "$(steps.final-outcome.results.test-output)" }, { "description": "The artifact type, either introspected or set.", "name": "ARTIFACT_TYPE", "type": "string", "value": "$(steps.introspect.results.artifact-type)" }, { "description": "How the artifact type was set.", "name": "ARTIFACT_TYPE_SET_BY", "type": "string", "value": "$(steps.introspect.results.artifact-type-set-by)" }, { "description": "Collected image digests", "name": "IMAGES_PROCESSED", "type": "string", "value": "$(steps.app-set-outcome.results.images-processed)" } ], "steps": [ { "computeResources": { "limits": { "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "env": [ { "name": "PARAM_ARTIFACT_TYPE", "value": "introspect" }, { "name": "PARAM_IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" } ], "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "introspect", "results": [ { "description": "The type of artifact this task is considering.", "name": "artifact-type" }, { "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n", "name": "artifact-type-set-by" } ], "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n echo \"Artifact type will be determined by introspection.\"\n _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n # short circuit if the artifact type was set via parameter.\n echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n _CURRENT_ARCH=$(uname -m)\n _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n # to map them.\n case ${_CURRENT_ARCH} in\n \"aarch64\")\n _CURRENT_ARCH=\"arm64\"\n ;;\n \"x86_64\")\n _CURRENT_ARCH=\"amd64\"\n ;;\n *)\n ;;\n esac\n\n # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n else\n # If there is no image for the current OS and architecture, just use the first one in the list.\n _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n | jq '.Labels | keys | .[]' -r \\\n | { grep operators.operatorframework.io.bundle || true ;} \\\n | tee /tmp/ecosystem-image-labels\nthen\n echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n" }, { "computeResources": { "limits": { "memory": "64Mi" }, "requests": { "cpu": "50m", "memory": "64Mi" } }, "env": [ { "name": "PARAM_IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" } ], "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "generate-container-auth", "results": [ { "description": "Path to auth.json", "name": "auth-json-path" } ], "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n", "volumeMounts": [ { "mountPath": "/auth", "name": "auth" } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1", "name": "set-skip-for-bundles", "results": [ { "description": "A skipped tekton result for bundles.", "name": "test-output" } ], "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n", "volumeMounts": [ { "mountPath": "/bundle", "name": "pfltoutputdir" } ], "when": [ { "input": "$(steps.introspect.results.artifact-type)", "operator": "in", "values": [ "operatorbundle" ] } ] }, { "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "cpu": "1", "memory": "4Gi" } }, "env": [ { "name": "PFLT_DOCKERCONFIG", "value": "$(steps.generate-container-auth.results.auth-json-path)" }, { "name": "PFLT_KONFLUX", "value": "true" }, { "name": "PARAM_IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "PARAM_PLATFORM" } ], "image": "quay.io/opdev/preflight:stable@sha256:2f9816292f4dec166c03d913d7e8b9673f9313bc5220a5b82efb0923b81095b1", "name": "app-check", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n # Extract part after slash if present\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n\n # Validate against supported arch list. If it's not a known arch, return an error result\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 0\n ;;\n esac\n\n /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n /usr/local/bin/preflight check container \"$image_url\"\nfi\n", "volumeMounts": [ { "mountPath": "/artifacts", "name": "pfltoutputdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" }, { "mountPath": "/auth", "name": "auth", "readOnly": true } ], "when": [ { "input": "$(steps.introspect.results.artifact-type)", "operator": "in", "values": [ "application" ] } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "PARAM_IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" } ], "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "app-set-outcome", "results": [ { "description": "The overall outcome of this task.", "name": "test-output" }, { "description": "Processed image digests.", "name": "images-processed" } ], "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n # Check if results directory exits\n RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n continue\n fi\n # Process results\n if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{ result: $result,\n timestamp: $date,\n note: $note,\n successes: $successes|tonumber,\n failures: $failures|tonumber,\n warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nretry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" \u003e /tmp/raw-manifest.json\nimage_digest=\"sha256:$(sha256sum \u003c /tmp/raw-manifest.json | awk '{print $1}')\"\nif [[ ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n", "volumeMounts": [ { "mountPath": "/artifacts", "name": "pfltoutputdir" } ], "when": [ { "input": "$(steps.introspect.results.artifact-type)", "operator": "in", "values": [ "application" ] } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "final-outcome", "results": [ { "name": "test-output" } ], "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n", "volumeMounts": [ { "mountPath": "/mount", "name": "pfltoutputdir" } ] } ], "volumes": [ { "emptyDir": {}, "name": "pfltoutputdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "auth" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/commit_sha": "eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/pull_request_number": "17933", "build.appstudio.redhat.com/target_branch": "base-nodxgh", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-nodxgh", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-mkytum", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-uhww-on-pull-request-r266g", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-nodxgh\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-uhww", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-uhww", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa/records/2ce01a18-c4a4-4f78-b74e-5169e84f74e1", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"eda963b758b539b162a95f37d86f0199680d7d45\",\"eventType\":\"pull_request\",\"pull_request-id\":17933}", "results.tekton.dev/result": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-016db769a7e9d2dde692c6510a9a4d08-9052cb766d4599a6-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-uhww" }, "creationTimestamp": "2026-05-11T11:29:06Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-uhww", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRun": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRunUID": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "tekton.dev/pipelineTask": "apply-tags", "tekton.dev/task": "apply-tags", "test.appstudio.openshift.io/pr-group-sha": "544aed5c3d6ec0cad12073e9312457b53d6e23773decd8391e702c63ae1d69" }, "name": "test-comp-uhww-on-pull-request-r266g-apply-tags", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-uhww-on-pull-request-r266g", "uid": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa" } ], "resourceVersion": "63771", "uid": "2ce01a18-c4a4-4f78-b74e-5169e84f74e1" }, "spec": { "params": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "IMAGE_DIGEST", "value": "sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-uhww", "taskRef": { "params": [ { "name": "name", "value": "apply-tags" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:a291081de7fb27f832c6fc3c4b078acf7e6162ca4c085db38b118ca87e8b5b66" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:29:41Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:29:41Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-uhww-on-pull-request-r266g-apply-tags-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "a291081de7fb27f832c6fc3c4b078acf7e6162ca4c085db38b118ca87e8b5b66" }, "entryPoint": "apply-tags", "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags" } }, "spanContext": { "traceparent": "00-016db769a7e9d2dde692c6510a9a4d08-9052cb766d4599a6-01" }, "startTime": "2026-05-11T11:29:06Z", "steps": [ { "container": "step-apply-additional-tags", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "apply-additional-tags", "provenance": {}, "terminated": { "containerID": "cri-o://0f8bb528c8618120e34b4e9d767eb436a0428f261543a034bd539c8d36ca7637", "exitCode": 0, "finishedAt": "2026-05-11T11:29:40Z", "reason": "Completed", "startedAt": "2026-05-11T11:29:39Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Applies additional tags to the built image.", "params": [ { "description": "Image repository and tag reference of the the built image.", "name": "IMAGE_URL", "type": "string" }, { "description": "Image digest of the built image.", "name": "IMAGE_DIGEST", "type": "string" }, { "default": [], "description": "Additional tags that will be applied to the image in the registry.", "name": "ADDITIONAL_TAGS", "type": "array" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "info", "description": "Log level to use in the task. See golang logrus docs for available levels.", "name": "LOG_LEVEL", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "args": [ "--image-url", "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45", "--digest", "sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8", "--tags", "--tags-from-image-label", "konflux.additional-tags" ], "command": [ "konflux-build-cli", "image", "apply-tags" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "apply-additional-tags" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/commit_sha": "eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/pull_request_number": "17933", "build.appstudio.redhat.com/target_branch": "base-nodxgh", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-nodxgh", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-mkytum", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-uhww-on-pull-request-r266g", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-nodxgh\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-uhww", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-uhww", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa/records/13698293-a7fc-4983-8b7c-3bb327ca6a79", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"eda963b758b539b162a95f37d86f0199680d7d45\",\"eventType\":\"pull_request\",\"pull_request-id\":17933}", "results.tekton.dev/result": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-016db769a7e9d2dde692c6510a9a4d08-c19cf21fdc1da3ad-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-uhww" }, "creationTimestamp": "2026-05-11T11:27:06Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-uhww", "build.appstudio.redhat.com/build_type": "docker", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRun": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRunUID": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "tekton.dev/pipelineTask": "build-container", "tekton.dev/task": "buildah-oci-ta", "test.appstudio.openshift.io/pr-group-sha": "544aed5c3d6ec0cad12073e9312457b53d6e23773decd8391e702c63ae1d69" }, "name": "test-comp-uhww-on-pull-request-r266g-build-container", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-uhww-on-pull-request-r266g", "uid": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa" } ], "resourceVersion": "61229", "uid": "13698293-a7fc-4983-8b7c-3bb327ca6a79" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "DOCKERFILE", "value": "docker/Dockerfile" }, { "name": "CONTEXT", "value": "." }, { "name": "HERMETIC", "value": "false" }, { "name": "PREFETCH_INPUT", "value": "" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "6h" }, { "name": "COMMIT_SHA", "value": "eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "BUILD_ARGS", "value": [] }, { "name": "BUILD_ARGS_FILE", "value": "" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SOURCE_URL", "value": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic" }, { "name": "BUILDAH_FORMAT", "value": "oci" }, { "name": "HTTP_PROXY", "value": "" }, { "name": "NO_PROXY", "value": "" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:895bdd16ee180bd3e6cf7548d3a27dd123613720d3b16b0b7b80d8604fab7e2d" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-uhww", "taskRef": { "params": [ { "name": "name", "value": "buildah-oci-ta" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.9@sha256:681d9f65a7f50cb260ee576ccab551e11d63c549f1e1ef3d201da3c112855bd6" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:28:38Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:28:38Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-uhww-on-pull-request-r266g-build-container-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "681d9f65a7f50cb260ee576ccab551e11d63c549f1e1ef3d201da3c112855bd6" }, "entryPoint": "buildah-oci-ta", "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta" } }, "results": [ { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45@sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "SBOM_BLOB_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:727a7e7c2c5256bbb20967975ed411781b69284e8ec967ace8a773e9fa546298" } ], "spanContext": { "traceparent": "00-016db769a7e9d2dde692c6510a9a4d08-c19cf21fdc1da3ad-01" }, "startTime": "2026-05-11T11:27:07Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://99df519532ac3b838a99bf486b70a3a76003663a65a35d0d0e9eb9285cb79c7d", "exitCode": 0, "finishedAt": "2026-05-11T11:27:45Z", "reason": "Completed", "startedAt": "2026-05-11T11:27:45Z" }, "terminationReason": "Completed" }, { "container": "step-build", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "build", "provenance": {}, "terminated": { "containerID": "cri-o://7abcd038f30ebf6f9fc4a0a14b0677f1fe023f43184f87dfc7d7ef8f09fff162", "exitCode": 0, "finishedAt": "2026-05-11T11:28:17Z", "reason": "Completed", "startedAt": "2026-05-11T11:27:45Z" }, "terminationReason": "Completed" }, { "container": "step-push", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "push", "provenance": {}, "terminated": { "containerID": "cri-o://bd26e654202e4809e368528e666b4be82e90b0c663d5ad05880e709c9d0b4afd", "exitCode": 0, "finishedAt": "2026-05-11T11:28:24Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45@sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:18Z" }, "terminationReason": "Completed" }, { "container": "step-sbom-syft-generate", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "sbom-syft-generate", "provenance": {}, "terminated": { "containerID": "cri-o://c8f79e2dc1c55cc0125f4e47150342ff3621c38548ebfd42a04f977a7d51088b", "exitCode": 0, "finishedAt": "2026-05-11T11:28:30Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45@sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:25Z" }, "terminationReason": "Completed" }, { "container": "step-prepare-sboms", "imageID": "quay.io/konflux-ci/mobster@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "provenance": {}, "terminated": { "containerID": "cri-o://366293cf79e880647460d9390b2f2aa94bbaaaa39a3cb1cab64c9b3650791745", "exitCode": 0, "finishedAt": "2026-05-11T11:28:34Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45@sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:30Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://b3e3b1e47236d9dc30cd0d5ca1a413bd0474d8e43c43db33da472daa87a61b23", "exitCode": 0, "finishedAt": "2026-05-11T11:28:38Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45@sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:727a7e7c2c5256bbb20967975ed411781b69284e8ec967ace8a773e9fa546298\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:34Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "default": [], "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings", "name": "ADDITIONAL_BASE_IMAGES", "type": "array" }, { "default": "does-not-exist", "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET", "name": "ADDITIONAL_SECRET", "type": "string" }, { "default": "", "description": "Comma separated list of extra capabilities to add when running 'buildah build'", "name": "ADD_CAPABILITIES", "type": "string" }, { "default": [], "description": "Additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS", "type": "array" }, { "default": "", "description": "Path to a file with additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS_FILE", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": [], "description": "Array of --build-arg values (\"arg=value\" strings)", "name": "BUILD_ARGS", "type": "array" }, { "default": "", "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file", "name": "BUILD_ARGS_FILE", "type": "string" }, { "default": "", "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.", "name": "BUILD_TIMESTAMP", "type": "string" }, { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "", "description": "The image is built from this commit.", "name": "COMMIT_SHA", "type": "string" }, { "default": ".", "description": "Path to the directory to use as context.", "name": "CONTEXT", "type": "string" }, { "default": "true", "description": "Determines if SBOM will be contextualized.", "name": "CONTEXTUALIZE_SBOM", "type": "string" }, { "default": "./Dockerfile", "description": "Path to the Dockerfile to build.", "name": "DOCKERFILE", "type": "string" }, { "default": "etc-pki-entitlement", "description": "Name of secret which contains the entitlement certificates", "name": "ENTITLEMENT_SECRET", "type": "string" }, { "default": [], "description": "Array of --env values (\"env=value\" strings)", "name": "ENV_VARS", "type": "array" }, { "default": "false", "description": "Determines if build will be executed without network access.", "name": "HERMETIC", "type": "string" }, { "default": "", "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.", "name": "HTTP_PROXY", "type": "string" }, { "default": "true", "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection", "name": "ICM_KEEP_COMPAT_LOCATION", "type": "string" }, { "description": "Reference of the image buildah will produce.", "name": "IMAGE", "type": "string" }, { "default": "", "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.", "name": "IMAGE_EXPIRES_AFTER", "type": "string" }, { "default": "true", "description": "Determines if the image inherits the base image labels.", "name": "INHERIT_BASE_IMAGE_LABELS", "type": "string" }, { "default": [], "description": "Additional key=value labels that should be applied to the image", "name": "LABELS", "type": "array" }, { "default": "", "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.", "name": "NO_PROXY", "type": "string" }, { "default": "false", "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.", "name": "OMIT_HISTORY", "type": "string" }, { "default": "", "description": "In case it is not empty, the prefetched content should be made available to the build.", "name": "PREFETCH_INPUT", "type": "string" }, { "default": "false", "description": "Whether to enable privileged mode, should be used only with remote VMs", "name": "PRIVILEGED_NESTED", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.", "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "caching-ca-bundle", "description": "The name of the ConfigMap to read proxy CA bundle data from.", "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "false", "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.", "name": "REWRITE_TIMESTAMP", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.", "name": "SBOM_SOURCE_SCAN_ENABLED", "type": "string" }, { "default": "", "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection", "name": "SBOM_SYFT_SELECT_CATALOGERS", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.", "name": "SBOM_TYPE", "type": "string" }, { "default": "false", "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.", "name": "SKIP_INJECTIONS", "type": "string" }, { "default": "false", "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled", "name": "SKIP_SBOM_GENERATION", "type": "string" }, { "default": "true", "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages", "name": "SKIP_UNUSED_STAGES", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "", "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.", "name": "SOURCE_DATE_EPOCH", "type": "string" }, { "default": "", "description": "The image is built from this URL.", "name": "SOURCE_URL", "type": "string" }, { "default": "false", "description": "Squash all new and previous layers added as a part of this build, as per --squash", "name": "SQUASH", "type": "string" }, { "default": "overlay", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "", "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.", "name": "TARGET_STAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "default": "", "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).", "name": "WORKINGDIR_MOUNT", "type": "string" }, { "default": "fetched.repos.d", "description": "Path in source workspace where dynamically-fetched repos are present", "name": "YUM_REPOS_D_FETCHED", "type": "string" }, { "default": "repos.d", "description": "Path in the git repository in which yum repository files are stored", "name": "YUM_REPOS_D_SRC", "type": "string" }, { "default": "/etc/yum.repos.d", "description": "Target path on the container in which yum repository files should be made available", "name": "YUM_REPOS_D_TARGET", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image reference of the built image", "name": "IMAGE_REF", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "cpu": "1", "memory": "4Gi" } }, "env": [ { "name": "ACTIVATION_KEY", "value": "activation-key" }, { "name": "ADDITIONAL_SECRET", "value": "does-not-exist" }, { "name": "ADD_CAPABILITIES" }, { "name": "ANNOTATIONS_FILE" }, { "name": "BUILD_ARGS_FILE" }, { "name": "BUILD_TIMESTAMP" }, { "name": "CONTEXT", "value": "." }, { "name": "CONTEXTUALIZE_SBOM", "value": "true" }, { "name": "ENTITLEMENT_SECRET", "value": "etc-pki-entitlement" }, { "name": "HERMETIC", "value": "false" }, { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "6h" }, { "name": "INHERIT_BASE_IMAGE_LABELS", "value": "true" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SBOM_SKIP_VALIDATION", "value": "true" }, { "name": "SBOM_SOURCE_SCAN_ENABLED", "value": "true" }, { "name": "SBOM_SYFT_SELECT_CATALOGERS" }, { "name": "SBOM_TYPE", "value": "spdx" }, { "name": "SKIP_INJECTIONS", "value": "false" }, { "name": "SKIP_SBOM_GENERATION", "value": "false" }, { "name": "SKIP_UNUSED_STAGES", "value": "true" }, { "name": "SOURCE_CODE_DIR", "value": "source" }, { "name": "SQUASH", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "overlay" }, { "name": "TARGET_STAGE" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "WORKINGDIR_MOUNT" }, { "name": "YUM_REPOS_D_FETCHED", "value": "fetched.repos.d" }, { "name": "YUM_REPOS_D_SRC", "value": "repos.d" }, { "name": "YUM_REPOS_D_TARGET", "value": "/etc/yum.repos.d" } ], "imagePullPolicy": "IfNotPresent", "volumeMounts": [ { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:895bdd16ee180bd3e6cf7548d3a27dd123613720d3b16b0b7b80d8604fab7e2d=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "args": [ "--build-args", "--env", "--labels", "--annotations" ], "computeResources": { "limits": { "cpu": "4600m", "memory": "8Gi" }, "requests": { "cpu": "4600m", "memory": "8Gi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "COMMIT_SHA", "value": "eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "SOURCE_URL", "value": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic" }, { "name": "DOCKERFILE", "value": "docker/Dockerfile" }, { "name": "BUILDAH_HTTP_PROXY" }, { "name": "BUILDAH_NO_PROXY" }, { "name": "ICM_KEEP_COMPAT_LOCATION", "value": "true" }, { "name": "BUILDAH_OMIT_HISTORY", "value": "false" }, { "name": "BUILDAH_SOURCE_DATE_EPOCH" }, { "name": "BUILDAH_REWRITE_TIMESTAMP", "value": "false" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "build", "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n fi\n fi\n}\n\nfunction unset_proxy {\n echo \"[$(date --utc -Ins)] Unsetting proxy\"\n unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n\"$source_dir_path\" | \"$source_dir_path/\"*)\n # path is valid, do nothing\n ;;\n*)\n echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n echo \"Source path: $source_dir_path\" \u003e\u00262\n echo \"Resolved path: $context_dir_path\" \u003e\u00262\n exit 1\n ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n # Instrumented builds (SAST) use this custom dockerfile step as their base\n dockerfile_path=\"$DOCKERFILE\"\nelse\n echo \"Cannot find Dockerfile $DOCKERFILE\"\n exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e/etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n while IFS= read -r line || [[ -n \"$line\" ]]; do\n # Skip empty lines and comments\n if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n ANNOTATIONS+=(\"--annotation\" \"$line\")\n fi\n done \u003c\"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --build-args)\n shift\n # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n build_args+=(\"$1\")\n shift\n done\n ;;\n --env)\n shift\n # Collect env entries of the form KEY=value\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n env_vars+=(\"$1\")\n shift\n done\n ;;\n --labels)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n LABELS+=(\"--label\" \"$1\")\n shift\n done\n ;;\n --annotations)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ANNOTATIONS+=(\"--annotation\" \"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e/shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--pull=never\")\n UNSHARE_ARGS+=(\"--net\")\n buildah_retries=3\n\n set_proxy\n\n for image in $BASE_IMAGES; do\n if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"; then\n echo \"Failed to pull base image ${image}\"\n exit 1\n fi\n done\n\n unset_proxy\n\n echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n BUILDAH_ARGS+=(\"--cap-add=all\")\n BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n fi\n if [ -n \"$BUILD_TIMESTAMP\" ]; then\n echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n exit 1\n fi\n # but do set it so that we get all the labels/annotations associated with it\n BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/var/workdir/cachi2/cachi2.env\" ]; then\n # Identify the current arch to filter the prefetched content\n PREFETCH_ARCH=\"$(uname -m)\"\n echo \"$PREFETCH_ARCH\" \u003e/shared/prefetch-arch\n\n echo \"Prefetched content will be made available\"\n\n cp -r \"/var/workdir/cachi2\" /tmp/\n chmod -R go+rwX /tmp/cachi2\n\n # In case RPMs were prefetched and this is a multi-arch build,\n # clean up the packages that do not match the architecture being built\n RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n echo \"Removing prefetched RPMs from non-matching architectures\"\n PREFETCH_ARCH=\"$(uname -m)\"\n for path in \"$RPM_PREFETCH_DIR\"/*; do\n if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n echo \"Removing: $path\"\n rm -rf \"$path\"\n else\n echo \"Keeping: $path\"\n fi\n done\n fi\n\n VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n sed -E -i \\\n -e 'H;1h;$!d;x' \\\n -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n @igM' \\\n \"$dockerfile_copy\"\n\n prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n mkdir -p \"$YUM_REPOS_D_FETCHED\"\n if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n fi\n fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n \"--label\" \"architecture=$(uname -m)\"\n \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n FINAL_BASE_IMAGE=$(\n # Get the base image of the final stage\n # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n # Run the find_root_stage() function on the final stage\n # If the final stage is scratch or oci-archive, return empty\n jq -r '.Stages as $all_stages |\n def find_root_stage($stage):\n if $stage.From.Stage then\n find_root_stage($all_stages[$stage.From.Stage.Index])\n else\n $stage\n end;\n\n find_root_stage(.Stages[-1]) |\n if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n empty\n else\n .BaseName\n end' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n )\n if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n set_proxy\n buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null$()\n unset_proxy\n buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n if [[ \"$label\" != \"--label\" ]]; then\n label_pairs+=(\"$label\")\n fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n echo \"\" \u003e\u003e\"$dockerfile_copy\"\n # Always write labels.json to the new standard location\n echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n # Conditionally write to the old location for backward compatibility\n if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n cp \"$containerignore\" \"$ignorefile_copy\"\n {\n echo \"\"\n echo \"!/labels.json\"\n echo \"!/content-sets.json\"\n } \u003e\u003e\"$ignorefile_copy\"\n BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n# to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n# shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n mkdir -p /shared/rhsm/etc/pki/entitlement\n mkdir -p /shared/rhsm/etc/pki/consumer\n\n VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key\n -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z\n -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n echo \"Adding activation key to the build\"\n\n if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n # user is not running registration in the Containerfile: pre-register.\n echo \"Pre-registering with subscription manager.\"\n export RETRY_MAX_TRIES=6\n if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"; then\n echo \"Subscription-manager register failed\"\n exit 1\n fi\n unset RETRY_MAX_TRIES\n trap 'subscription-manager unregister || true' EXIT\n\n # copy generated certificates to /shared volume\n cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e/dev/null; then\n cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n exit 1\n fi\n # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n # (we set the workdir using 'unshare -w')\n context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n # Instrumented builds (SAST) use this step as their base and add some other tools.\n while read -r volume_mount; do\n VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n done \u003c\u003c\u003c\"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n while read -r filename; do\n echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n buildah build\n \"${VOLUME_MOUNTS[@]}\"\n \"${BUILDAH_ARGS[@]}\"\n \"${LABELS[@]}\"\n \"${ANNOTATIONS[@]}\"\n --tls-verify=\"$TLSVERIFY\" --no-cache\n --ulimit nofile=4096:4096\n --http-proxy=false\n -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n echo \"Making copy of sbom-prefetch.json\"\n cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n # Get the image pullspec and filter out a tag if it is not set\n # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n # if buildah did not use that particular image during build because it was skipped\n if [ -n \"$base_image_digest\" ]; then\n echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci:$IMAGE\"\necho \"/shared/$image_name.oci\" \u003e/shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/entitlement", "name": "etc-pki-entitlement" }, { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/additional-secret", "name": "additional-secret" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/proxy-ca-bundle", "name": "proxy-ca-bundle", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "600m", "memory": "4Gi" }, "requests": { "cpu": "600m", "memory": "4Gi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "BUILDAH_FORMAT", "value": "oci" }, { "name": "TASKRUN_NAME", "value": "test-comp-uhww-on-pull-request-r266g-build-container" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "push", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n \"$IMAGE\" \\\n \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"; then\n echo \"Failed to push image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile \"/var/workdir/image-digest\" \"$IMAGE\" \\\n \"docker://$IMAGE\"; then\n echo \"Failed to push image to $IMAGE\"\n exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c\"/var/workdir\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n echo -n \"${IMAGE}@\"\n cat \"/var/workdir/image-digest\"\n} \u003e\"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"; then\n echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n [rekorInternalUrl]=REKOR_URL\n [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n [rekorInternalUrl]=rekorExternalUrl\n [fulcioInternalUrl]=fulcioExternalUrl\n [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n if [ -n \"${val}\" ]; then\n echo \"Using fallback ${fallback_key} instead of ${key}\"\n fi\n fi\n if [ -z \"${val}\" ]; then\n missing=\"${missing:+${missing}, }${key}\"\n else\n declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n configured=$((configured + 1))\n fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n echo \"Keyless signing is enabled\"\n\n # Save signing config for upload-sbom step\n for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n envvar=\"${SIGNING_KEY_MAP[$key]}\"\n printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n done \u003e/shared/signing-config.env\n\n echo \"Using Rekor URL: ${REKOR_URL}\"\n echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n echo \"[$(date --utc -Ins)] Sign image\"\n echo \"Signing image ${IMAGE_REF} using keyless signing\"\n if ! retry cosign sign -y \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign image\" \u003e\u00262\n exit 1\n fi\nelif [ \"${configured}\" -eq 0 ]; then\n echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "1100m", "memory": "4Gi" }, "requests": { "cpu": "1100m", "memory": "4Gi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "sbom-syft-generate", "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\ncase $SBOM_TYPE in\ncyclonedx)\n syft_sbom_type=cyclonedx-json@1.5\n ;;\nspdx)\n syft_sbom_type=spdx-json@2.3\n ;;\n*)\n echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n exit 1\n ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n oci-dir:\"${OCI_DIR}\"\n --output \"$syft_sbom_type=/var/workdir/sbom-image.json\"\n)\nsyft_source_args=(\n dir:\"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT\"\n --output \"$syft_sbom_type=/var/workdir/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n echo \"Running syft on the source code\"\n syft \"${syft_source_args[@]}\"\nelse\n echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" }, { "args": [ "--additional-base-images" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.2.0-1774868067@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --additional-base-images)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ADDITIONAL_BASE_IMAGES+=(\"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n generate\n --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-image\n --from-syft \"/var/workdir/sbom-image.json\"\n --image-pullspec \"$IMAGE_URL\"\n --image-digest \"$IMAGE_DIGEST\"\n --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/var/workdir/sbom-source.json\" ]; then\n mobster_args+=(--from-syft \"/var/workdir/sbom-source.json\")\nfi\n\nif [ -f \"/var/workdir/sbom-prefetch.json\" ]; then\n mobster_args+=(--from-hermeto \"/var/workdir/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n", "securityContext": { "runAsUser": 0 }, "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"; then\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n # shellcheck source=/dev/null\n source /shared/signing-config.env\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n # spdx export data as rawstring, we want structured json as cyclonedx\n ATT_SBOM_TYPE=\"spdxjson\"\n fi\n\n echo \"[$(date --utc -Ins)] Sign SBOM\"\n echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign SBOM\" \u003e\u00262\n exit 1\n fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "name": "additional-secret", "secret": { "optional": true, "secretName": "does-not-exist" } }, { "name": "etc-pki-entitlement", "secret": { "optional": true, "secretName": "etc-pki-entitlement" } }, { "name": "oidc-token", "projected": { "sources": [ { "serviceAccountToken": { "audience": "sigstore", "expirationSeconds": 600, "path": "oidc-token" } } ] } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "caching-ca-bundle", "optional": true }, "name": "proxy-ca-bundle" }, { "emptyDir": {}, "name": "shared" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "varlibcontainers" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/commit_sha": "eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/pull_request_number": "17933", "build.appstudio.redhat.com/target_branch": "base-nodxgh", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-nodxgh", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-mkytum", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-uhww-on-pull-request-r266g", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-nodxgh\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-uhww", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-uhww", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa/records/9331614e-3010-4bdb-8e78-a7d5a43578fc", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"eda963b758b539b162a95f37d86f0199680d7d45\",\"eventType\":\"pull_request\",\"pull_request-id\":17933}", "results.tekton.dev/result": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-016db769a7e9d2dde692c6510a9a4d08-49ada34e7e494f9d-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-uhww" }, "creationTimestamp": "2026-05-11T11:28:39Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-uhww", "build.appstudio.redhat.com/build_type": "docker", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRun": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRunUID": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "tekton.dev/pipelineTask": "build-image-index", "tekton.dev/task": "build-image-index", "test.appstudio.openshift.io/pr-group-sha": "544aed5c3d6ec0cad12073e9312457b53d6e23773decd8391e702c63ae1d69" }, "name": "test-comp-uhww-on-pull-request-r266g-build-image-index", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-uhww-on-pull-request-r266g", "uid": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa" } ], "resourceVersion": "62552", "uid": "9331614e-3010-4bdb-8e78-a7d5a43578fc" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "IMAGES", "value": [ "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45@sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" ] }, { "name": "BUILDAH_FORMAT", "value": "oci" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-uhww", "taskRef": { "params": [ { "name": "name", "value": "build-image-index" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.3@sha256:550afde50349e22ec11191ea0db9a49395ab46fef4e8317d820b6e946677ebeb" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:29:05Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:29:05Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-uhww-on-pull-request-r266g-build-image-index-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "550afde50349e22ec11191ea0db9a49395ab46fef4e8317d820b6e946677ebeb" }, "entryPoint": "build-image-index", "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index" } }, "results": [ { "name": "IMAGES", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" }, { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" } ], "spanContext": { "traceparent": "00-016db769a7e9d2dde692c6510a9a4d08-49ada34e7e494f9d-01" }, "startTime": "2026-05-11T11:28:39Z", "steps": [ { "container": "step-build", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "build", "provenance": {}, "terminated": { "containerID": "cri-o://584ae04477dbefae17bcbe5541d32f13997479df455e3005eef50e2e6d7267b8", "exitCode": 0, "finishedAt": "2026-05-11T11:29:01Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:59Z" }, "terminationReason": "Completed" }, { "container": "step-create-sbom", "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094", "name": "create-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://aee5054d30f29e75893376784d897fef5893ae63332666d3a26bc7ef9a503335", "exitCode": 0, "finishedAt": "2026-05-11T11:29:02Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:29:02Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://e29e37bbea498e06556b9d1f592c1721ca362e29b32222baa48e634cc1477d83", "exitCode": 0, "finishedAt": "2026-05-11T11:29:05Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:29:02Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "This takes existing Image Manifests and combines them in an Image Index.", "params": [ { "description": "The target image and tag where the image will be pushed to.", "name": "IMAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "description": "List of Image Manifests to be referenced by the Image Index", "name": "IMAGES", "type": "array" }, { "default": "true", "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.", "name": "ALWAYS_BUILD_INDEX", "type": "string" }, { "default": "vfs", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": "false", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "List of all referenced image manifests", "name": "IMAGES", "type": "string" }, { "description": "Image reference of the built image containing both the repository and the digest", "name": "IMAGE_REF", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "BUILDAH_FORMAT", "value": "oci" }, { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "vfs" } ], "volumeMounts": [ { "mountPath": "/index-build-data", "name": "shared-dir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45@sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" ], "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "cpu": "250m", "memory": "4Gi" } }, "image": "quay.io/konflux-ci/konflux-build-cli:latest@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "build", "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\n\necho \"Running konflux-build-cli\"\nif ! konflux-build-cli image build-image-index \\\n --image \"$IMAGE\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --buildah-format \"$BUILDAH_FORMAT\" \\\n --always-build-index=\"$ALWAYS_BUILD_INDEX\" \\\n --additional-tags \"test-comp-uhww-on-pull-request-r266g-build-image-index\" \\\n --output-manifest-path \"$MANIFEST_DATA_FILE\" \\\n --result-path-image-digest \"/tekton/results/IMAGE_DIGEST\" \\\n --result-path-image-url \"/tekton/results/IMAGE_URL\" \\\n --result-path-image-ref \"/tekton/results/IMAGE_REF\" \\\n --result-path-images \"/tekton/results/IMAGES\" \\\n --images \"$@\"; then\n echo \"Failed to build image index\"\n exit 1\nfi\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 } }, { "computeResources": { "limits": { "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094", "name": "create-sbom", "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-index\n --index-image-pullspec \"$IMAGE_URL\"\n --index-image-digest \"$IMAGE_DIGEST\"\n --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n" }, { "computeResources": { "limits": { "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 } } ], "volumes": [ { "emptyDir": {}, "name": "shared-dir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/commit_sha": "eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/pull_request_number": "17933", "build.appstudio.redhat.com/target_branch": "base-nodxgh", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-nodxgh", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-mkytum", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-uhww-on-pull-request-r266g", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-nodxgh\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-uhww", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-uhww", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa/records/e328b746-217d-4d9d-a1e3-60bec486e678", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"eda963b758b539b162a95f37d86f0199680d7d45\",\"eventType\":\"pull_request\",\"pull_request-id\":17933}", "results.tekton.dev/result": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-016db769a7e9d2dde692c6510a9a4d08-0d76326de11e4711-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-uhww" }, "creationTimestamp": "2026-05-11T11:29:06Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-uhww", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRun": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRunUID": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "tekton.dev/pipelineTask": "clair-scan", "tekton.dev/task": "clair-scan", "test.appstudio.openshift.io/pr-group-sha": "544aed5c3d6ec0cad12073e9312457b53d6e23773decd8391e702c63ae1d69" }, "name": "test-comp-uhww-on-pull-request-r266g-clair-scan", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-uhww-on-pull-request-r266g", "uid": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa" } ], "resourceVersion": "69424", "uid": "e328b746-217d-4d9d-a1e3-60bec486e678" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-uhww", "taskRef": { "params": [ { "name": "name", "value": "clair-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:33:18Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:33:18Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-uhww-on-pull-request-r266g-clair-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609" }, "entryPoint": "clair-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45\", \"digests\": [\"sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\"]}}\n" }, { "name": "REPORTS", "type": "string", "value": "{\"sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\":\"sha256:988973f37a2d22edf4694042f6683b2fff1c88e4e5ecbddd6680a683fe9ab15f\"}\n" }, { "name": "SCAN_OUTPUT", "type": "string", "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":1,\"low\":89,\"unknown\":117}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:33:17+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-016db769a7e9d2dde692c6510a9a4d08-0d76326de11e4711-01" }, "startTime": "2026-05-11T11:29:07Z", "steps": [ { "container": "step-get-image-manifests", "imageID": "quay.io/konflux-ci/konflux-test@sha256:52cc21d3a3cd44dac8c77638268ef1f83f908008e98529603048b8c42b544091", "name": "get-image-manifests", "provenance": {}, "terminated": { "containerID": "cri-o://beefe5831a96c5f85c494e95eb94a04bf1224cfb8d421d23513a7c5d34e26044", "exitCode": 0, "finishedAt": "2026-05-11T11:32:06Z", "reason": "Completed", "startedAt": "2026-05-11T11:32:05Z" }, "terminationReason": "Completed" }, { "container": "step-get-vulnerabilities", "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:932d686d7695528116c4988e147284ae6faec0fe2333c362af01c70d5eb1448c", "name": "get-vulnerabilities", "provenance": {}, "terminated": { "containerID": "cri-o://2c4ed1aea1f9ae5ecea17aec8eb7002a7dc08982bea30fccb7fc374ada8a5b4d", "exitCode": 0, "finishedAt": "2026-05-11T11:33:15Z", "reason": "Completed", "startedAt": "2026-05-11T11:32:06Z" }, "terminationReason": "Completed" }, { "container": "step-oci-attach-report", "imageID": "quay.io/konflux-ci/oras@sha256:a8d8dedde37815c2994c40eb5cb7381dbc6b26b833e0f736a3a752d993206c6b", "name": "oci-attach-report", "provenance": {}, "terminated": { "containerID": "cri-o://1ee83a600970c1d420af4a8e51313681080509bd9de7042828c9e5bf057d87a9", "exitCode": 0, "finishedAt": "2026-05-11T11:33:17Z", "reason": "Completed", "startedAt": "2026-05-11T11:33:15Z" }, "terminationReason": "Completed" }, { "container": "step-conftest-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:52cc21d3a3cd44dac8c77638268ef1f83f908008e98529603048b8c42b544091", "name": "conftest-vulnerabilities", "provenance": {}, "terminated": { "containerID": "cri-o://8efa69ebbe9aaf119c778e08db6fb5f3300fd7259e17ef83acd74f30ae878670", "exitCode": 0, "finishedAt": "2026-05-11T11:33:17Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45\\\", \\\"digests\\\": [\\\"sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\\\":\\\"sha256:988973f37a2d22edf4694042f6683b2fff1c88e4e5ecbddd6680a683fe9ab15f\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":1,\\\"low\\\":89,\\\"unknown\\\":117}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:33:17+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:33:17Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "The platform built by.", "name": "image-platform", "type": "string" }, { "default": "", "description": "unused, should be removed in next task version.", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-oci-attach-report", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Clair scan result.", "name": "SCAN_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" }, { "description": "Mapping of image digests to report digests", "name": "REPORTS", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "IMAGE_DIGEST", "value": "sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d", "name": "get-image-manifests", "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n done\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } }, { "computeResources": { "limits": { "cpu": "800m", "memory": "7Gi" }, "requests": { "cpu": "800m", "memory": "7Gi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "IMAGE_DIGEST", "value": "sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" }, { "name": "IMAGE_PLATFORM" } ], "image": "quay.io/konflux-ci/clair-in-ci:v1", "imagePullPolicy": "Always", "name": "get-vulnerabilities", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee \"clair-report-$2.json\"; } \u0026\u0026 \\\n { retry clair-action convert --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n local arch=\"$1\"\n local sha_file=\"image-manifest-$arch.sha\"\n\n if [ -e \"$sha_file\" ]; then\n local arch_sha\n arch_sha=$(\u003c\"$sha_file\")\n local digest=\"${imagewithouttag}@${arch_sha}\"\n\n echo \"Running clair-action on $arch image manifest...\"\n clair_report \"$digest\" \"$arch\" || true\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n # Validate against supported arch list. If it's not a known arch, fallback to amd64\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 0\n ;;\n esac\n\n run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n for sha_file in image-manifest-*.sha; do\n if [ -e \"$sha_file\" ]; then\n arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n run_clair_on_arch \"$arch\"\n fi\n done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_OCI_ATTACH_REPORT", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705", "name": "oci-attach-report", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n echo 'OCI attach report skipped by parameter.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n echo 'No Clair reports generated. Skipping upload.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n report_file=\"$1\"\n arch=\"${report_file/*-}\"\n echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n image_ref=\"${repository}@${digest}\"\n echo \"Attaching $f to ${image_ref}\"\n if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n then\n echo \"Failed to attach ${f} to ${image_ref}\"\n exit 1\n fi\n # shellcheck disable=SC2016\n reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d", "name": "conftest-vulnerabilities", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n if [ ! -s \"$file\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n else\n /usr/bin/conftest test --no-fail $file \\\n --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n fi\n\n #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n result=$(jq -rce \\\n '{\n vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n },\n unpatched_vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n }\n }' \"$file\")\n\n scan_result=$(jq -s -rce \\\n '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/commit_sha": "eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/pull_request_number": "17933", "build.appstudio.redhat.com/target_branch": "base-nodxgh", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-nodxgh", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-mkytum", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-uhww-on-pull-request-r266g", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-nodxgh\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-uhww", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-uhww", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa/records/f3552ad0-eb6e-43b9-a984-e2109d8450fa", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"eda963b758b539b162a95f37d86f0199680d7d45\",\"eventType\":\"pull_request\",\"pull_request-id\":17933}", "results.tekton.dev/result": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "virus, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-016db769a7e9d2dde692c6510a9a4d08-3be3dd111114706e-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-uhww" }, "creationTimestamp": "2026-05-11T11:29:06Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-uhww", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRun": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRunUID": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "tekton.dev/pipelineTask": "clamav-scan", "tekton.dev/task": "clamav-scan", "test.appstudio.openshift.io/pr-group-sha": "544aed5c3d6ec0cad12073e9312457b53d6e23773decd8391e702c63ae1d69" }, "name": "test-comp-uhww-on-pull-request-r266g-clamav-scan", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-uhww-on-pull-request-r266g", "uid": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa" } ], "resourceVersion": "66799", "uid": "f3552ad0-eb6e-43b9-a984-e2109d8450fa" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-uhww", "taskRef": { "params": [ { "name": "name", "value": "clamav-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:31:52Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:31:52Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-uhww-on-pull-request-r266g-clamav-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a" }, "entryPoint": "clamav-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45\", \"digests\": [\"sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"timestamp\":\"1778499073\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n" } ], "spanContext": { "traceparent": "00-016db769a7e9d2dde692c6510a9a4d08-3be3dd111114706e-01" }, "startTime": "2026-05-11T11:29:06Z", "steps": [ { "container": "step-extract-and-scan-image", "imageID": "quay.io/konflux-ci/clamav-db@sha256:83085885f6c81f58dc642c8be1e2a8a3c46410ff0b084005a13b20078485405d", "name": "extract-and-scan-image", "provenance": {}, "terminated": { "containerID": "cri-o://4cc890a3e48e29e0c3529eae5eecdf2d785708e9907151df6bb25bfedc1a1620", "exitCode": 0, "finishedAt": "2026-05-11T11:31:51Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45\\\", \\\"digests\\\": [\\\"sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1778499073\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:30:21Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:983fd3222163307ea38019b54862873ad3443ecba85173aa866a8d2a105338de", "name": "upload", "provenance": {}, "terminated": { "containerID": "cri-o://c93ae7183f30831ba14ffbcfe74dd00578ea06a52966f08f264f67863f3b5b04", "exitCode": 0, "finishedAt": "2026-05-11T11:31:51Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45\\\", \\\"digests\\\": [\\\"sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1778499073\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:31:14Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "Image arch.", "name": "image-arch", "type": "string" }, { "default": "", "description": "unused", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "8", "description": "Maximum number of threads clamd runs.", "name": "clamd-max-threads", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-upload", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "7300m", "memory": "12Gi" }, "requests": { "cpu": "7300m", "memory": "12Gi" } }, "env": [ { "name": "HOME", "value": "/work" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "IMAGE_DIGEST", "value": "sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" }, { "name": "IMAGE_ARCH" }, { "name": "MAX_THREADS", "value": "8" } ], "image": "quay.io/konflux-ci/clamav-db:latest", "name": "extract-and-scan-image", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n mkdir -p ~/.docker\n echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n# $1: destination - path to the content to scan\n# $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n# $3: digest - digest to add to digests_processed array\n# $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n local destination=\"$1\"\n local suffix=\"$2\"\n local digest=\"$3\"\n local scan_message=\"${4:-Scanning content}\"\n\n db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n echo \"$scan_message. This operation may take a while.\"\n clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n digests_processed+=(\"\\\"$digest\\\"\")\n\n if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n # OPA/EC requires structured data input, add clamAV log into json\n jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o json \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o appstudio \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n\n if [ -n \"$raw_manifest\" ]; then\n media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n # Determine if this is an OCI artifact (not a container image)\n # OCI artifacts typically have:\n # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n # - An explicit artifactType field that is not a container image type\n is_oci_artifact=false\n\n # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n is_oci_artifact=true\n fi\n\n # Check if artifactType is set and is not a container image type\n if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n is_oci_artifact=true\n fi\n\n if [ \"$is_oci_artifact\" = true ]; then\n # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n # This looks like a container image manifest, but get_image_manifests failed\n echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n else\n # Likely an OCI artifact with non-standard media type\n echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n fi\n else\n echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n echo \"Detected container image. Processing image manifests.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n # Proceed only if a specific arch is provided.\n # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n if [ -n \"$IMAGE_ARCH\" ]; then\n arch=\"${IMAGE_ARCH#*/}\"\n if [ \"${arch}\" = \"x86_64\" ]; then\n arch=\"amd64\"\n fi\n\n # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n arch=\"amd64\"\n ;;\n esac\n\n image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n fi\n\n while read -r arch arch_sha; do\n destination=$(echo content-$arch)\n mkdir -p \"$destination\"\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n if [ $? -ne 0 ]; then\n echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n exit 0\n fi\n\n # Scan and process container image for this architecture\n scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n {\n \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n \"namespace\" : $item.namespace,\n \"successes\" : (.successes + $item.successes),\n \"failures\" : (.failures + $item.failures),\n \"warnings\" : (.warnings + $item.warnings),\n \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_UPLOAD", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "IMAGE_DIGEST", "value": "sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n echo \"Upload skipped by parameter.\"\n exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n MEDIA_TYPE=text/vnd.clamav\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n MEDIA_TYPE=application/vnd.konflux.test_output+json\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n echo \"No files found. Skipping upload.\"\n exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n", "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" } ], "volumes": [ { "emptyDir": {}, "name": "dbfolder" }, { "emptyDir": {}, "name": "work" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/commit_sha": "eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/pull_request_number": "17933", "build.appstudio.redhat.com/target_branch": "base-nodxgh", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-nodxgh", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-mkytum", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-uhww-on-pull-request-r266g", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-nodxgh\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-uhww", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-uhww", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa/records/342deb99-cdc4-464c-bc87-df86a5dc8d3e", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"eda963b758b539b162a95f37d86f0199680d7d45\",\"eventType\":\"pull_request\",\"pull_request-id\":17933}", "results.tekton.dev/result": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "results.tekton.dev/stored": "true", "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone oci trusted artifacts", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-016db769a7e9d2dde692c6510a9a4d08-ecafc1e1e9d5fee9-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-uhww" }, "creationTimestamp": "2026-05-11T11:26:41Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-uhww", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRun": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRunUID": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "tekton.dev/pipelineTask": "clone-repository", "tekton.dev/task": "git-clone-oci-ta", "test.appstudio.openshift.io/pr-group-sha": "544aed5c3d6ec0cad12073e9312457b53d6e23773decd8391e702c63ae1d69" }, "name": "test-comp-uhww-on-pull-request-r266g-clone-repository", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-uhww-on-pull-request-r266g", "uid": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa" } ], "resourceVersion": "56233", "uid": "342deb99-cdc4-464c-bc87-df86a5dc8d3e" }, "spec": { "params": [ { "name": "url", "value": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic" }, { "name": "revision", "value": "eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "ociStorage", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45.git" }, { "name": "ociArtifactExpiresAfter", "value": "6h" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-uhww", "taskRef": { "params": [ { "name": "name", "value": "git-clone-oci-ta" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:13d49df7dc9ae301627e45f95a236011422996152f1bea46cd60217b0f057407" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "basic-auth", "secret": { "secretName": "pac-gitauth-mkytum" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:26:50Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:26:50Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-uhww-on-pull-request-r266g-clone-repository-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "13d49df7dc9ae301627e45f95a236011422996152f1bea46cd60217b0f057407" }, "entryPoint": "git-clone-oci-ta", "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta" } }, "results": [ { "name": "CHAINS-GIT_COMMIT", "type": "string", "value": "eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "CHAINS-GIT_URL", "type": "string", "value": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic" }, { "name": "commit", "type": "string", "value": "eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "commit-timestamp", "type": "string", "value": "1778498777" }, { "name": "short-commit", "type": "string", "value": "eda963b" }, { "name": "url", "type": "string", "value": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:895bdd16ee180bd3e6cf7548d3a27dd123613720d3b16b0b7b80d8604fab7e2d" } ], "spanContext": { "traceparent": "00-016db769a7e9d2dde692c6510a9a4d08-ecafc1e1e9d5fee9-01" }, "startTime": "2026-05-11T11:26:41Z", "steps": [ { "container": "step-clone", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "provenance": {}, "terminated": { "containerID": "cri-o://ad5b18ad7f6ddc8022f16e4695a68adedb1a81c23ace0a767d7f0477e4b576eb", "exitCode": 0, "finishedAt": "2026-05-11T11:26:47Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"eda963b758b539b162a95f37d86f0199680d7d45\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/devfile-sample-python-basic\",\"type\":1},{\"key\":\"commit\",\"value\":\"eda963b758b539b162a95f37d86f0199680d7d45\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778498777\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"eda963b\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/devfile-sample-python-basic\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:26:47Z" }, "terminationReason": "Completed" }, { "container": "step-symlink-check", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "provenance": {}, "terminated": { "containerID": "cri-o://1bc78bef5046b59545c855cc026b736f0f32bffe099726992c0da5bb0dddd83f", "exitCode": 0, "finishedAt": "2026-05-11T11:26:48Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"eda963b758b539b162a95f37d86f0199680d7d45\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/devfile-sample-python-basic\",\"type\":1},{\"key\":\"commit\",\"value\":\"eda963b758b539b162a95f37d86f0199680d7d45\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778498777\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"eda963b\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/devfile-sample-python-basic\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:26:48Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "create-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://7bb506b3523303b36c2b2f61da9caa4f380f1be02ff1b8467874c0baf0519fef", "exitCode": 0, "finishedAt": "2026-05-11T11:26:49Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"eda963b758b539b162a95f37d86f0199680d7d45\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/devfile-sample-python-basic\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:895bdd16ee180bd3e6cf7548d3a27dd123613720d3b16b0b7b80d8604fab7e2d\",\"type\":1},{\"key\":\"commit\",\"value\":\"eda963b758b539b162a95f37d86f0199680d7d45\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778498777\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"eda963b\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/devfile-sample-python-basic\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:26:48Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted artifact in the provided OCI repository.", "params": [ { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" } ], "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "PARAM_URL", "value": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic" }, { "name": "PARAM_REVISION", "value": "eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "PARAM_REFSPEC" }, { "name": "PARAM_SUBMODULES", "value": "true" }, { "name": "PARAM_SUBMODULE_PATHS" }, { "name": "PARAM_DEPTH", "value": "1" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "7" }, { "name": "PARAM_SSL_VERIFY", "value": "true" }, { "name": "PARAM_HTTP_PROXY" }, { "name": "PARAM_HTTPS_PROXY" }, { "name": "PARAM_NO_PROXY" }, { "name": "PARAM_VERBOSE", "value": "false" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES" }, { "name": "PARAM_USER_HOME", "value": "/tekton/home" }, { "name": "PARAM_FETCH_TAGS", "value": "false" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "false" }, { "name": "PARAM_TARGET_BRANCH", "value": "main" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL" }, { "name": "PARAM_MERGE_SOURCE_DEPTH" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "false" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "true" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH", "value": "/workspace/basic-auth" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ]; then\n set -x\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ]; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e\"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e\"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ]; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n\n if ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit 1\n fi\n\n # Check if there are changes staged for commit\n if git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\n else\n echo \"Merge successful (no conflicts found), committing...\"\n if ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit 1\n fi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e\"/tekton/results/merged_sha\"\n fi\n\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e\"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e\"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ]; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "true" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink; do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ]; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ]; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "args": [ "create", "--store", "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45.git", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source" ], "computeResources": { "limits": { "memory": "3Gi" }, "requests": { "cpu": "1", "memory": "3Gi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "6h" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "create-trusted-artifact", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/commit_sha": "eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/pull_request_number": "17933", "build.appstudio.redhat.com/target_branch": "base-nodxgh", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-nodxgh", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-mkytum", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-uhww-on-pull-request-r266g", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-nodxgh\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-uhww", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-uhww", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa/records/6412393e-a883-4e9f-b761-76590bb79600", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"eda963b758b539b162a95f37d86f0199680d7d45\",\"eventType\":\"pull_request\",\"pull_request-id\":17933}", "results.tekton.dev/result": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-016db769a7e9d2dde692c6510a9a4d08-d34d64428f8aa108-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-uhww" }, "creationTimestamp": "2026-05-11T11:26:34Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-uhww", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRun": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRunUID": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "tekton.dev/pipelineTask": "init", "tekton.dev/task": "init", "test.appstudio.openshift.io/pr-group-sha": "544aed5c3d6ec0cad12073e9312457b53d6e23773decd8391e702c63ae1d69" }, "name": "test-comp-uhww-on-pull-request-r266g-init", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-uhww-on-pull-request-r266g", "uid": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa" } ], "resourceVersion": "55666", "uid": "6412393e-a883-4e9f-b761-76590bb79600" }, "spec": { "params": [ { "name": "enable-cache-proxy", "value": "false" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-uhww", "taskRef": { "params": [ { "name": "name", "value": "init" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:26:39Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:26:39Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-uhww-on-pull-request-r266g-init-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08" }, "entryPoint": "init", "uri": "quay.io/konflux-ci/tekton-catalog/task-init" } }, "results": [ { "name": "http-proxy", "type": "string", "value": "" }, { "name": "no-proxy", "type": "string", "value": "" } ], "spanContext": { "traceparent": "00-016db769a7e9d2dde692c6510a9a4d08-d34d64428f8aa108-01" }, "startTime": "2026-05-11T11:26:34Z", "steps": [ { "container": "step-init", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "init", "provenance": {}, "terminated": { "containerID": "cri-o://7cdb0f91ffb73aa4f2424997bbda1a496e0bd0030f7dfbe99e9c3f8eb0b403fe", "exitCode": 0, "finishedAt": "2026-05-11T11:26:38Z", "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:26:38Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.", "params": [ { "default": "false", "description": "Enable cache proxy configuration", "name": "enable-cache-proxy", "type": "string" } ], "results": [ { "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)", "name": "http-proxy", "type": "string" }, { "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)", "name": "no-proxy", "type": "string" } ], "steps": [ { "args": [ "--enable", "false" ], "command": [ "konflux-build-cli", "config", "cache-proxy" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" }, { "name": "DEFAULT_HTTP_PROXY", "value": "squid.caching.svc.cluster.local:3128" }, { "name": "DEFAULT_NO_PROXY", "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai" }, { "name": "HTTP_PROXY_RESULTS_PATH", "value": "/tekton/results/http-proxy" }, { "name": "NO_PROXY_RESULTS_PATH", "value": "/tekton/results/no-proxy" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "init" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/commit_sha": "eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/pull_request_number": "17933", "build.appstudio.redhat.com/target_branch": "base-nodxgh", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-nodxgh", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-mkytum", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-uhww-on-pull-request-r266g", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-nodxgh\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-uhww", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-uhww", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa/records/c253ef2d-194b-4340-90a4-9c6997dfb608", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"eda963b758b539b162a95f37d86f0199680d7d45\",\"eventType\":\"pull_request\",\"pull_request-id\":17933}", "results.tekton.dev/result": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-016db769a7e9d2dde692c6510a9a4d08-efda826af8ab2193-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-uhww" }, "creationTimestamp": "2026-05-11T11:26:50Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-uhww", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRun": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRunUID": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "tekton.dev/pipelineTask": "prefetch-dependencies", "tekton.dev/task": "prefetch-dependencies-oci-ta", "test.appstudio.openshift.io/pr-group-sha": "544aed5c3d6ec0cad12073e9312457b53d6e23773decd8391e702c63ae1d69" }, "name": "test-comp-uhww-on-pull-request-r266g-prefetch-dependencies", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-uhww-on-pull-request-r266g", "uid": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa" } ], "resourceVersion": "56886", "uid": "c253ef2d-194b-4340-90a4-9c6997dfb608" }, "spec": { "params": [ { "name": "input", "value": "" }, { "name": "enable-package-registry-proxy", "value": "true" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:895bdd16ee180bd3e6cf7548d3a27dd123613720d3b16b0b7b80d8604fab7e2d" }, { "name": "ociStorage", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45.prefetch" }, { "name": "ociArtifactExpiresAfter", "value": "6h" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-uhww", "taskRef": { "params": [ { "name": "name", "value": "prefetch-dependencies-oci-ta" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:a2efbcdcecfa5293a622eb356a18f5c88e5714046b214fe8730b43b1a7dbb77d" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "git-basic-auth", "secret": { "secretName": "pac-gitauth-mkytum" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:27:06Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:27:06Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-uhww-on-pull-request-r266g-prefetch-dependencies-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "a2efbcdcecfa5293a622eb356a18f5c88e5714046b214fe8730b43b1a7dbb77d" }, "entryPoint": "prefetch-dependencies-oci-ta", "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta" } }, "results": [ { "name": "CACHI2_ARTIFACT", "type": "string", "value": "" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:895bdd16ee180bd3e6cf7548d3a27dd123613720d3b16b0b7b80d8604fab7e2d" } ], "spanContext": { "traceparent": "00-016db769a7e9d2dde692c6510a9a4d08-efda826af8ab2193-01" }, "startTime": "2026-05-11T11:26:51Z", "steps": [ { "container": "step-skip-ta", "imageID": "registry.access.redhat.com/ubi9/ubi-minimal@sha256:8d0a8fb39ec907e8ca62cdd24b62a63ca49a30fe465798a360741fde58437a23", "name": "skip-ta", "provenance": {}, "terminated": { "containerID": "cri-o://551855e26b84659409deb388aef733f2e5e1c6d5cb89e0e7c320eb2f897a1f7b", "exitCode": 0, "finishedAt": "2026-05-11T11:27:00Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:895bdd16ee180bd3e6cf7548d3a27dd123613720d3b16b0b7b80d8604fab7e2d\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:27:00Z" }, "terminationReason": "Completed" }, { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://f41ea1ea8cb107315829ab60f60c4602f290cabca9900f44e8953c7626fae941", "exitCode": 0, "finishedAt": "2026-05-11T11:27:01Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:895bdd16ee180bd3e6cf7548d3a27dd123613720d3b16b0b7b80d8604fab7e2d\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:27:01Z" }, "terminationReason": "Completed" }, { "container": "step-prefetch-dependencies", "imageID": "quay.io/konflux-ci/hermeto@sha256:4899755ffd1574547102a58469aea916822c7fd7825cbec8e477e1b57668a6d7", "name": "prefetch-dependencies", "provenance": {}, "terminated": { "containerID": "cri-o://dea4c6e332568592e3cca51ca5d0859fbf0ef459d55a70a44f578ab3e272c7e2", "exitCode": 0, "finishedAt": "2026-05-11T11:27:04Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:895bdd16ee180bd3e6cf7548d3a27dd123613720d3b16b0b7b80d8604fab7e2d\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:27:01Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "create-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://1bcc60ebb5164afc47dad64663c4cd88207d2b40a60770644f9b927677a3e9d1", "exitCode": 0, "finishedAt": "2026-05-11T11:27:05Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:895bdd16ee180bd3e6cf7548d3a27dd123613720d3b16b0b7b80d8604fab7e2d\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:27:05Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Task that prefetches project dependencies for hermetic build.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "default": "service-ca.crt", "description": "The name of the key in the ConfigMap that contains the service CA bundle data. Used to verify TLS connections to in-cluster services such as the package registry proxy.", "name": "SERVICE_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "openshift-service-ca.crt", "description": "The name of the ConfigMap to read service CA bundle data from. Used to verify TLS connections to in-cluster services such as the package registry proxy.", "name": "SERVICE_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n", "name": "config-file-content", "type": "string" }, { "default": "true", "description": "Use the package registry proxy when prefetching dependencies", "name": "enable-package-registry-proxy", "type": "string" }, { "description": "Configures project packages that will have their dependencies prefetched.", "name": "input", "type": "string" }, { "default": "debug", "description": "Set the logging level (debug, info, warn, error, fatal).", "name": "log-level", "type": "string" }, { "default": "strict", "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).", "name": "mode", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.", "name": "sbom-type", "type": "string" } ], "results": [ { "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "computeResources": {}, "env": [ { "name": "INPUT" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:895bdd16ee180bd3e6cf7548d3a27dd123613720d3b16b0b7b80d8604fab7e2d" } ], "image": "registry.access.redhat.com/ubi9/ubi-minimal:9.7-1777857961@sha256:8d0a8fb39ec907e8ca62cdd24b62a63ca49a30fe465798a360741fde58437a23", "name": "skip-ta", "script": "#!/bin/bash\n\nif [ -z \"${INPUT}\" ]; then\n mkdir -p /var/workdir/source\n mkdir -p /var/workdir/cachi2\n echo \"true\" \u003e/var/workdir/source/.skip-trusted-artifacts\n echo \"true\" \u003e/var/workdir/cachi2/.skip-trusted-artifacts\n echo -n \"${SOURCE_ARTIFACT}\" \u003e\"/tekton/results/SOURCE_ARTIFACT\"\n echo -n \"\" \u003e\"/tekton/results/CACHI2_ARTIFACT\"\nfi\n" }, { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:895bdd16ee180bd3e6cf7548d3a27dd123613720d3b16b0b7b80d8604fab7e2d=/var/workdir/source" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "use-trusted-artifact" }, { "computeResources": { "limits": { "cpu": "1", "memory": "3Gi" }, "requests": { "cpu": "1", "memory": "3Gi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "debug" }, { "name": "KBC_PD_INPUT" }, { "name": "KBC_PD_SOURCE_DIR", "value": "/var/workdir/source" }, { "name": "KBC_PD_OUTPUT_DIR", "value": "/var/workdir/cachi2/output" }, { "name": "KBC_PD_SBOM_FORMAT", "value": "spdx" }, { "name": "KBC_PD_MODE", "value": "strict" }, { "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT", "value": "/cachi2/output" }, { "name": "KBC_PD_ENV_FILES", "value": "/var/workdir/cachi2/cachi2.env /var/workdir/cachi2/prefetch.env /var/workdir/cachi2/prefetch-env.json" }, { "name": "KBC_PD_GIT_AUTH_DIRECTORY", "value": "/workspace/git-basic-auth" }, { "name": "WORKSPACE_NETRC_PATH" }, { "name": "CONFIG_FILE_CONTENT" }, { "name": "KBC_PD_ENABLE_PACKAGE_REGISTRY_PROXY", "value": "true" } ], "image": "quay.io/konflux-ci/hermeto:0.51.0@sha256:4899755ffd1574547102a58469aea916822c7fd7825cbec8e477e1b57668a6d7", "name": "prefetch-dependencies", "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nSERVICE_CA_BUNDLE_PATH=/mnt/service-ca/ca-bundle.crt\nUPDATE_CA_TRUST=false\n\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n echo \"Using mounted CA bundle: $CA_BUNDLE_PATH\"\n cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n UPDATE_CA_TRUST=true\nfi\n\nif [ -f \"$SERVICE_CA_BUNDLE_PATH\" ]; then\n echo \"Using mounted service CA bundle: $SERVICE_CA_BUNDLE_PATH\"\n cp -vf \"$SERVICE_CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/service-ca.crt\n UPDATE_CA_TRUST=true\nfi\n\nif [ \"$UPDATE_CA_TRUST\" = \"true\" ]; then\n update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n export KBC_PD_RHSM_ORG=/activation-key/org\n export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n echo \"${CONFIG_FILE_CONTENT}\" \u003e/mnt/config/config.yaml\n export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n", "volumeMounts": [ { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/mnt/config", "name": "config" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/service-ca", "name": "service-ca", "readOnly": true } ] }, { "args": [ "create", "--store", "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45.prefetch", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source", "/tekton/results/CACHI2_ARTIFACT=/var/workdir/cachi2" ], "computeResources": { "limits": { "memory": "3Gi" }, "requests": { "cpu": "1", "memory": "3Gi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "6h" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "create-trusted-artifact" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "emptyDir": {}, "name": "config" }, { "configMap": { "items": [ { "key": "service-ca.crt", "path": "ca-bundle.crt" } ], "name": "openshift-service-ca.crt", "optional": true }, "name": "service-ca" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n", "name": "git-basic-auth", "optional": true }, { "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n", "name": "netrc", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/commit_sha": "eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/pull_request_number": "17933", "build.appstudio.redhat.com/target_branch": "base-nodxgh", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-nodxgh", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-mkytum", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-uhww-on-pull-request-r266g", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-nodxgh\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-uhww", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-uhww", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa/records/48e1268a-da50-4050-b150-377c03f03415", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"eda963b758b539b162a95f37d86f0199680d7d45\",\"eventType\":\"pull_request\",\"pull_request-id\":17933}", "results.tekton.dev/result": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, appstudio", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-016db769a7e9d2dde692c6510a9a4d08-89bf23cac6ba3122-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-uhww" }, "creationTimestamp": "2026-05-11T11:29:07Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-uhww", "build.appstudio.redhat.com/build_type": "docker", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRun": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRunUID": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "tekton.dev/pipelineTask": "push-dockerfile", "tekton.dev/task": "push-dockerfile-oci-ta", "test.appstudio.openshift.io/pr-group-sha": "544aed5c3d6ec0cad12073e9312457b53d6e23773decd8391e702c63ae1d69" }, "name": "test-comp-uhww-on-pull-request-r266g-push-dockerfile", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-uhww-on-pull-request-r266g", "uid": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa" } ], "resourceVersion": "63759", "uid": "48e1268a-da50-4050-b150-377c03f03415" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "IMAGE_DIGEST", "value": "sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" }, { "name": "DOCKERFILE", "value": "docker/Dockerfile" }, { "name": "CONTEXT", "value": "." }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:895bdd16ee180bd3e6cf7548d3a27dd123613720d3b16b0b7b80d8604fab7e2d" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-uhww", "taskRef": { "params": [ { "name": "name", "value": "push-dockerfile-oci-ta" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.3@sha256:7855471abfe87de080b914f2f3ca27c59e64f6448a7c2435e51435b764494c71" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:29:41Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:29:41Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-uhww-on-pull-request-r266g-push-dockerfile-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "7855471abfe87de080b914f2f3ca27c59e64f6448a7c2435e51435b764494c71" }, "entryPoint": "push-dockerfile-oci-ta", "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta" } }, "results": [ { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:09526b99f4594a756a7715f5ad7a7addc226da699de02e95b9d0db5601d48918" } ], "spanContext": { "traceparent": "00-016db769a7e9d2dde692c6510a9a4d08-89bf23cac6ba3122-01" }, "startTime": "2026-05-11T11:29:12Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://2900b4bf7533fb7ebe388179b7c5d4edb26c9a4e2d482031d6d099770d5c9e7e", "exitCode": 0, "finishedAt": "2026-05-11T11:29:39Z", "reason": "Completed", "startedAt": "2026-05-11T11:29:39Z" }, "terminationReason": "Completed" }, { "container": "step-push", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "push", "provenance": {}, "terminated": { "containerID": "cri-o://aee24bfb29faa13afe67dab4db3b2a53299060a1d7bdbd926b83433efc2eb0ed", "exitCode": 0, "finishedAt": "2026-05-11T11:29:40Z", "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:09526b99f4594a756a7715f5ad7a7addc226da699de02e95b9d0db5601d48918\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:29:40Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.", "params": [ { "default": "application/vnd.konflux.dockerfile", "description": "Artifact type of the Dockerfile image.", "name": "ARTIFACT_TYPE", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": ".", "description": "Path to the directory to use as context.", "name": "CONTEXT", "type": "string" }, { "default": "./Dockerfile", "description": "Path to the Dockerfile.", "name": "DOCKERFILE", "type": "string" }, { "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.", "name": "IMAGE", "type": "string" }, { "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.", "name": "IMAGE_DIGEST", "type": "string" }, { "default": "info", "description": "Log level to use in the task. See golang logrus docs for available levels.", "name": "LOG_LEVEL", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".dockerfile", "description": "Suffix of the Dockerfile image tag.", "name": "TAG_SUFFIX", "type": "string" } ], "results": [ { "description": "Digest-pinned image reference to the Dockerfile image.", "name": "IMAGE_REF", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:895bdd16ee180bd3e6cf7548d3a27dd123613720d3b16b0b7b80d8604fab7e2d=/var/workdir/source" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "use-trusted-artifact" }, { "args": [ "--source", "source", "--context", ".", "--containerfile", "docker/Dockerfile", "--image-url", "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45", "--image-digest", "sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8", "--artifact-type", "application/vnd.konflux.dockerfile", "--tag-suffix", ".dockerfile", "--result-path-image-ref", "/tekton/results/IMAGE_REF", "--alternative-filename", "Dockerfile" ], "command": [ "konflux-build-cli", "image", "push-containerfile" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "push", "workingDir": "/var/workdir" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/commit_sha": "eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/pull_request_number": "17933", "build.appstudio.redhat.com/target_branch": "base-nodxgh", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-nodxgh", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-mkytum", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-uhww-on-pull-request-r266g", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-nodxgh\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-uhww", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-uhww", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa/records/4d661466-1721-4c55-8453-ecb1a125dcc4", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"eda963b758b539b162a95f37d86f0199680d7d45\",\"eventType\":\"pull_request\",\"pull_request-id\":17933}", "results.tekton.dev/result": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "results.tekton.dev/stored": "true", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-016db769a7e9d2dde692c6510a9a4d08-0d4766fcad7df185-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-uhww" }, "creationTimestamp": "2026-05-11T11:29:07Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-uhww", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRun": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRunUID": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "tekton.dev/pipelineTask": "rpms-signature-scan", "tekton.dev/task": "rpms-signature-scan", "test.appstudio.openshift.io/pr-group-sha": "544aed5c3d6ec0cad12073e9312457b53d6e23773decd8391e702c63ae1d69" }, "name": "test-comp-uhww-on-pull-request-r266g-rpms-signature-scan", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-uhww-on-pull-request-r266g", "uid": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa" } ], "resourceVersion": "67274", "uid": "4d661466-1721-4c55-8453-ecb1a125dcc4" }, "spec": { "params": [ { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "image-digest", "value": "sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-uhww", "taskRef": { "params": [ { "name": "name", "value": "rpms-signature-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:cfdb76c67f27bc498132431f5a24fbc17dac1981d6f6e3da5cf5964ac5abdd20" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:32:10Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:32:10Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-uhww-on-pull-request-r266g-rpms-signature-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "cfdb76c67f27bc498132431f5a24fbc17dac1981d6f6e3da5cf5964ac5abdd20" }, "entryPoint": "rpms-signature-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45\", \"digests\": [\"sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\"]}}\n" }, { "name": "RPMS_DATA", "type": "string", "value": "{\"keys\": {\"unsigned\": 0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:32:09+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-016db769a7e9d2dde692c6510a9a4d08-0d4766fcad7df185-01" }, "startTime": "2026-05-11T11:29:07Z", "steps": [ { "container": "step-rpms-signature-scan", "imageID": "quay.io/konflux-ci/tools@sha256:4bb1feaad4cb4735f8a5387e32691dfc1fe6097d28d56c23895866f88b211e28", "name": "rpms-signature-scan", "provenance": {}, "terminated": { "containerID": "cri-o://3f140b60434c71279b0382fe274f967ed8b394331e45a0df4f932d250a0932e7", "exitCode": 0, "finishedAt": "2026-05-11T11:32:08Z", "reason": "Completed", "startedAt": "2026-05-11T11:31:58Z" }, "terminationReason": "Completed" }, { "container": "step-output-results", "imageID": "quay.io/konflux-ci/konflux-test@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e", "name": "output-results", "provenance": {}, "terminated": { "containerID": "cri-o://2a55fcd1590a893e8a60efb741ee7227f3e1c99e2f7df4b91e873cb188244900", "exitCode": 0, "finishedAt": "2026-05-11T11:32:09Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45\\\", \\\"digests\\\": [\\\"sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:32:09+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:32:09Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans RPMs in an image and provide information about RPMs signatures.", "params": [ { "description": "Image URL", "name": "image-url", "type": "string" }, { "description": "Image digest to scan", "name": "image-digest", "type": "string" }, { "default": "/tmp", "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n", "name": "workdir", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Information about signed and unsigned RPMs", "name": "RPMS_DATA", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "200m", "memory": "256Mi" }, "requests": { "cpu": "200m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "IMAGE_DIGEST", "value": "sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" }, { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/tools@sha256:b78a949c4a986724ae8e768ca315fc35bae5e0553de5cd2edd468d6a7d4b7e0f", "name": "rpms-signature-scan", "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n --image-url \"${IMAGE_URL}\" \\\n --image-digest \"${IMAGE_DIGEST}\" \\\n --workdir \"${WORKDIR}\" \\\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "50m", "memory": "32Mi" }, "requests": { "cpu": "50m", "memory": "32Mi" } }, "env": [ { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.53@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e", "name": "output-results", "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" } ] } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/commit_sha": "eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/pull_request_number": "17933", "build.appstudio.redhat.com/target_branch": "base-nodxgh", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-nodxgh", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-mkytum", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-uhww-on-pull-request-r266g", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-nodxgh\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-uhww", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-uhww", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa/records/d560a014-75c6-4fa8-a2df-aaf4726df26e", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"eda963b758b539b162a95f37d86f0199680d7d45\",\"eventType\":\"pull_request\",\"pull_request-id\":17933}", "results.tekton.dev/result": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-016db769a7e9d2dde692c6510a9a4d08-a95a922b5ed3adc9-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-uhww" }, "creationTimestamp": "2026-05-11T11:29:06Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-uhww", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRun": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRunUID": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "tekton.dev/pipelineTask": "sast-shell-check", "tekton.dev/task": "sast-shell-check-oci-ta", "test.appstudio.openshift.io/pr-group-sha": "544aed5c3d6ec0cad12073e9312457b53d6e23773decd8391e702c63ae1d69" }, "name": "test-comp-uhww-on-pull-request-r266g-sast-shell-check", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-uhww-on-pull-request-r266g", "uid": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa" } ], "resourceVersion": "64415", "uid": "d560a014-75c6-4fa8-a2df-aaf4726df26e" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:895bdd16ee180bd3e6cf7548d3a27dd123613720d3b16b0b7b80d8604fab7e2d" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-uhww", "taskRef": { "params": [ { "name": "name", "value": "sast-shell-check-oci-ta" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:c4ef47e3b4e0508572d266fb745be7e374c29dc02580328cbe9f4d472a8aca57" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "completionTime": "2026-05-11T11:30:07Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:30:07Z", "message": "the step \"upload\" in TaskRun \"test-comp-uhww-on-pull-request-r266g-sast-shell-check\" failed to pull the image \"\". The pod errored with the message: \"Back-off pulling image \"quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08\".\"", "reason": "TaskRunImagePullFailed", "status": "False", "type": "Succeeded" } ], "podName": "test-comp-uhww-on-pull-request-r266g-sast-shell-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "c4ef47e3b4e0508572d266fb745be7e374c29dc02580328cbe9f4d472a8aca57" }, "entryPoint": "sast-shell-check-oci-ta", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta" } }, "spanContext": { "traceparent": "00-016db769a7e9d2dde692c6510a9a4d08-a95a922b5ed3adc9-01" }, "startTime": "2026-05-11T11:29:06Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:0cf6c1640011bd02c158e2c4fe9f8c4656b9aa751c08fc879d0a99bfb87d0789", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "exitCode": 1, "finishedAt": "2026-05-11T11:30:07Z", "message": "Step use-trusted-artifact terminated as pod test-comp-uhww-on-pull-request-r266g-sast-shell-check-pod is terminated", "reason": "TaskRunImagePullFailed", "startedAt": "2026-05-11T11:29:14Z" }, "terminationReason": "TaskRunImagePullFailed" }, { "container": "step-sast-shell-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "sast-shell-check", "provenance": {}, "terminated": { "exitCode": 1, "finishedAt": "2026-05-11T11:30:07Z", "message": "Step sast-shell-check terminated as pod test-comp-uhww-on-pull-request-r266g-sast-shell-check-pod is terminated", "reason": "TaskRunImagePullFailed", "startedAt": "2026-05-11T11:30:06Z" }, "terminationReason": "TaskRunImagePullFailed" }, { "container": "step-upload", "name": "upload", "provenance": {}, "terminated": { "exitCode": 1, "finishedAt": "2026-05-11T11:30:07Z", "message": "Step upload terminated as pod test-comp-uhww-on-pull-request-r266g-sast-shell-check-pod is terminated", "reason": "TaskRunImagePullFailed", "startedAt": "2026-05-11T11:29:06Z" }, "terminationReason": "TaskRunImagePullFailed" } ], "taskSpec": { "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "true", "description": "Whether to include important findings only", "name": "IMP_FINDINGS_ONLY", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Image digest to report findings for.", "name": "image-digest", "type": "string" }, { "default": "", "description": "Image URL.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:895bdd16ee180bd3e6cf7548d3a27dd123613720d3b16b0b7b80d8604fab7e2d=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "memory": "4Gi" } }, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "8", "memory": "4Gi" }, "requests": { "cpu": "1", "memory": "4Gi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "IMP_FINDINGS_ONLY", "value": "true" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-shell-check", "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/var/workdir/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c\"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n resolved_path=$(realpath -m \"$potential_path\")\n\n # ensure resolved path is still within SOURCE_CODE_DIR\n if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n ALL_TARGETS+=(\"$resolved_path\")\n else\n echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n exit 1\n fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n read -r quota period \u003c/sys/fs/cgroup/cpu.max\n if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n export SC_JOBS=$(((quota + period - 1) / period))\n echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n --mode=json\n --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n # predefined list of shellcheck important findings\n CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n CSGREP_OPTS+=(\n --event=\"$CSGREP_EVENT_FILTER\"\n )\nelse\n CSGREP_OPTS+=(\n --event=\"error|warning\"\n )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e\"$OUTPUT_FILE\"; then\n echo \"Error occurred while running 'run-shellcheck.sh'\"\n note=\"Task sast-shell-check-oci-ta failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e\"${OUTPUT_FILE}.filtered\" 2\u003e\"${OUTPUT_FILE}.error\"\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n else\n mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003eshellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check-oci-ta\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "IMAGE_DIGEST", "value": "sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n echo 'No image-url or image-digest param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n # Determine the media type based on the file extension\n if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n MEDIA_TYPE=\"application/json\"\n else\n MEDIA_TYPE=\"application/sarif+json\"\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"$IMAGE_URL\" \u003e\"$HOME/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"; then\n echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n exit 1\n fi\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/commit_sha": "eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/pull_request_number": "17933", "build.appstudio.redhat.com/target_branch": "base-nodxgh", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-nodxgh", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-mkytum", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-uhww-on-pull-request-r266g", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-nodxgh\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-uhww", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-uhww", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa/records/fd60cc2a-315f-47f9-b03b-545ad0afe5ff", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"eda963b758b539b162a95f37d86f0199680d7d45\",\"eventType\":\"pull_request\",\"pull_request-id\":17933}", "results.tekton.dev/result": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-016db769a7e9d2dde692c6510a9a4d08-bc0050197124a41d-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-uhww" }, "creationTimestamp": "2026-05-11T11:29:06Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-uhww", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRun": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRunUID": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "tekton.dev/pipelineTask": "sast-snyk-check", "tekton.dev/task": "sast-snyk-check-oci-ta", "test.appstudio.openshift.io/pr-group-sha": "544aed5c3d6ec0cad12073e9312457b53d6e23773decd8391e702c63ae1d69" }, "name": "test-comp-uhww-on-pull-request-r266g-sast-snyk-check", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-uhww-on-pull-request-r266g", "uid": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa" } ], "resourceVersion": "67004", "uid": "fd60cc2a-315f-47f9-b03b-545ad0afe5ff" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:895bdd16ee180bd3e6cf7548d3a27dd123613720d3b16b0b7b80d8604fab7e2d" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-uhww", "taskRef": { "params": [ { "name": "name", "value": "sast-snyk-check-oci-ta" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:8f3ecbeaff579e41b8278f82d7fabac27845db17a8e687ea6c510c0c9aceabbb" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "completionTime": "2026-05-11T11:31:59Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:31:59Z", "message": "the step \"upload\" in TaskRun \"test-comp-uhww-on-pull-request-r266g-sast-snyk-check\" failed to pull the image \"\". The pod errored with the message: \"Back-off pulling image \"quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08\".\"", "reason": "TaskRunImagePullFailed", "status": "False", "type": "Succeeded" } ], "podName": "test-comp-uhww-on-pull-request-r266g-sast-snyk-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "8f3ecbeaff579e41b8278f82d7fabac27845db17a8e687ea6c510c0c9aceabbb" }, "entryPoint": "sast-snyk-check-oci-ta", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta" } }, "spanContext": { "traceparent": "00-016db769a7e9d2dde692c6510a9a4d08-bc0050197124a41d-01" }, "startTime": "2026-05-11T11:29:10Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:0cf6c1640011bd02c158e2c4fe9f8c4656b9aa751c08fc879d0a99bfb87d0789", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "exitCode": 1, "finishedAt": "2026-05-11T11:31:59Z", "message": "Step use-trusted-artifact terminated as pod test-comp-uhww-on-pull-request-r266g-sast-snyk-check-pod is terminated", "reason": "TaskRunImagePullFailed", "startedAt": "2026-05-11T11:30:10Z" }, "terminationReason": "TaskRunImagePullFailed" }, { "container": "step-sast-snyk-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "sast-snyk-check", "provenance": {}, "terminated": { "exitCode": 1, "finishedAt": "2026-05-11T11:31:59Z", "message": "Step sast-snyk-check terminated as pod test-comp-uhww-on-pull-request-r266g-sast-snyk-check-pod is terminated", "reason": "TaskRunImagePullFailed", "startedAt": "2026-05-11T11:31:58Z" }, "terminationReason": "TaskRunImagePullFailed" }, { "container": "step-upload", "name": "upload", "provenance": {}, "terminated": { "exitCode": 1, "finishedAt": "2026-05-11T11:31:59Z", "message": "Step upload terminated as pod test-comp-uhww-on-pull-request-r266g-sast-snyk-check-pod is terminated", "reason": "TaskRunImagePullFailed", "startedAt": "2026-05-11T11:29:06Z" }, "terminationReason": "TaskRunImagePullFailed" } ], "taskSpec": { "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.", "params": [ { "default": "", "description": "Append arguments.", "name": "ARGS", "type": "string" }, { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "", "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.", "name": "IGNORE_FILE_PATHS", "type": "string" }, { "default": "true", "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.", "name": "IMP_FINDINGS_ONLY", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Write excluded records in file. Useful for auditing (defaults to false).", "name": "RECORD_EXCLUDED", "type": "string" }, { "default": "snyk-secret", "description": "Name of secret which contains Snyk token.", "name": "SNYK_SECRET", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "description": "Digest of the image to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:895bdd16ee180bd3e6cf7548d3a27dd123613720d3b16b0b7b80d8604fab7e2d=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "memory": "4Gi" } }, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "memory": "6Gi" }, "requests": { "cpu": "1", "memory": "6Gi" } }, "env": [ { "name": "SNYK_SECRET", "value": "snyk-secret" }, { "name": "ARGS" }, { "name": "IGNORE_FILE_PATHS" }, { "name": "IMP_FINDINGS_ONLY", "value": "true" }, { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } }, { "name": "TARGET_DIRS", "value": "." } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-snyk-check", "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n # SNYK token is provided\n SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n export SNYK_TOKEN\nelse\n # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n # shellcheck disable=SC2034\n to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n note=\"Task sast-snyk-check-oci-ta skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n# Wrapper around snyk code test that maps valid non-zero exit codes (1, 3)\n# to 0 so the existing retry function only retries on exit code 2 (error).\n# Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n# The real exit code is always preserved in SNYK_EXIT_CODE.\n# Error codes (2+) always override, valid codes (0, 1, 3) only if no previous error.\n_snyk_code_test() {\n snyk code test \"$@\" 1\u003e\u00262 \u003e\u003estdout.txt\n local ec=$?\n if [[ \"$ec\" -ne 0 ]] \u0026\u0026 [[ \"$ec\" -ne 1 ]] \u0026\u0026 [[ \"$ec\" -ne 3 ]]; then\n SNYK_EXIT_CODE=$ec\n fi\n if [[ \"$ec\" -eq 1 ]] || [[ \"$ec\" -eq 3 ]]; then\n return 0\n fi\n return \"$ec\"\n}\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/var/workdir\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c\"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n resolved_path=$(realpath -m \"$potential_path\")\n\n # Ensure resolved path is still within SOURCE_CODE_DIR\n if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n exit 1\n fi\n\n # Ensure directory exists\n if [ ! -d \"$resolved_path\" ]; then\n echo \"Warning: Directory $resolved_path does not exist, skipping\"\n continue\n fi\n\n echo \"INFO: Scanning directory: $resolved_path\"\n # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n # shellcheck disable=SC2086\n RETRY_INTERVAL=30 retry _snyk_code_test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\"\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n echo \"WARN: No JSON output files were generated by snyk scan\"\n # Get snyk version for proper SARIF metadata\n SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n # Create a valid minimal SARIF structure using jq\n # Note: coverage array is required even when empty because downstream jq commands expect it\n jq -n --arg version \"$SNYK_VERSION\" '{\n \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n \"version\": \"2.1.0\",\n \"runs\": [{\n \"tool\": {\n \"driver\": {\n \"name\": \"snyk\",\n \"version\": $version,\n \"informationUri\": \"https://snyk.io\"\n }\n },\n \"results\": [],\n \"properties\": {\n \"coverage\": []\n }\n }]\n }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n fi\n\n # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n (cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) |\n csgrep --mode=json --strip-path-prefix=\"source/\" \\\n \u003esast_snyk_check_out_all_findings.json\n\n echo \"INFO: Initial results:\"\n csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n fi\n PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n # create the KFP clone directory regardless\n KFP_DIR=\"known-false-positives\"\n KFP_CLONED=\"0\"\n mkdir \"${KFP_DIR}\"\n\n # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n if [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\n fi\n\n if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n else\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n CMD=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n CMD+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n set +e\n \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003efiltered_sast_snyk_check_out.json\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n else\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\n echo \"INFO: Results after filtering:\"\n (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n fi\n\n # Generation of scan stats\n\n total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n # We make sure the values are 0 if no supported/total files are found\n if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n total_files=0\n fi\n\n if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n supported_files=0\n fi\n\n coverage_ratio=0\n if ((total_files \u003e 0)); then\n coverage_ratio=$((supported_files * 100 / total_files))\n fi\n\n # embed stats in results file and convert to SARIF\n csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n --set-scan-prop snyk-scanned-files-success:\"${supported_files}\" \\\n --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n filtered_sast_snyk_check_out.json \u003esast_snyk_check_out.sarif\n\n # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n # - \"error\" → importance level 1\n # - \"warning\" (or missing level) → importance level 0\n RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e\"$RESULT_SARIF\"\n else\n # Use all findings for Tekton task result\n RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n fi\n\n TEST_OUTPUT=\n parse_test_output \"sast-snyk-check-oci-ta\" sarif \"$RESULT_SARIF\" || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n note=\"Task sast-snyk-check-oci-ta success: Snyk code test found zero supported files.\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n echo \"sast-snyk-check test failed because of the following issues:\"\n cat stdout.txt\n note=\"Task sast-snyk-check-oci-ta failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/etc/secrets", "name": "snyk-secret", "readOnly": true }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "IMAGE_DIGEST", "value": "sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n echo 'No image-url provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n MEDIA_TYPE=application/json\n else\n MEDIA_TYPE=application/sarif+json\n fi\n echo \"Selecting auth\"\n select-oci-auth \"${IMAGE_URL}\" \u003e\"${HOME}/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"; then\n echo \"Failed to attach to ${IMAGE_URL}\"\n fi\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "name": "snyk-secret", "secret": { "optional": true, "secretName": "snyk-secret" } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/commit_sha": "eda963b758b539b162a95f37d86f0199680d7d45", "build.appstudio.redhat.com/pull_request_number": "17933", "build.appstudio.redhat.com/target_branch": "base-nodxgh", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-nodxgh", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-mkytum", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-uhww-on-pull-request-r266g", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-nodxgh\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-uhww", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-uhww", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa/records/25edab8d-379e-431c-b6f1-946d97891ce5", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"eda963b758b539b162a95f37d86f0199680d7d45\",\"eventType\":\"pull_request\",\"pull_request-id\":17933}", "results.tekton.dev/result": "build-e2e-tkrv/results/a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-016db769a7e9d2dde692c6510a9a4d08-aa763cd4fbbd2723-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-uhww" }, "creationTimestamp": "2026-05-11T11:29:06Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-uhww", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75342907473", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-uhww-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17933", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "eda963b758b539b162a95f37d86f0199680d7d45", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRun": "test-comp-uhww-on-pull-request-r266g", "tekton.dev/pipelineRunUID": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa", "tekton.dev/pipelineTask": "sast-unicode-check", "tekton.dev/task": "sast-unicode-check-oci-ta", "test.appstudio.openshift.io/pr-group-sha": "544aed5c3d6ec0cad12073e9312457b53d6e23773decd8391e702c63ae1d69" }, "name": "test-comp-uhww-on-pull-request-r266g-sast-unicode-check", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-uhww-on-pull-request-r266g", "uid": "a51d55a0-9ce0-45d2-bd7f-bf069b27c7aa" } ], "resourceVersion": "67003", "uid": "25edab8d-379e-431c-b6f1-946d97891ce5" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:895bdd16ee180bd3e6cf7548d3a27dd123613720d3b16b0b7b80d8604fab7e2d" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-uhww", "taskRef": { "params": [ { "name": "name", "value": "sast-unicode-check-oci-ta" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:90efa582de7770d55102b74014a765cd16a25a56f2cf644b56a788c70c4dc749" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "completionTime": "2026-05-11T11:31:59Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:31:59Z", "message": "the step \"upload\" in TaskRun \"test-comp-uhww-on-pull-request-r266g-sast-unicode-check\" failed to pull the image \"\". The pod errored with the message: \"Back-off pulling image \"quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08\".\"", "reason": "TaskRunImagePullFailed", "status": "False", "type": "Succeeded" } ], "podName": "test-comp-uhww-on-pull-request-r266g-sast-unicode-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "90efa582de7770d55102b74014a765cd16a25a56f2cf644b56a788c70c4dc749" }, "entryPoint": "sast-unicode-check-oci-ta", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta" } }, "spanContext": { "traceparent": "00-016db769a7e9d2dde692c6510a9a4d08-aa763cd4fbbd2723-01" }, "startTime": "2026-05-11T11:29:11Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:0cf6c1640011bd02c158e2c4fe9f8c4656b9aa751c08fc879d0a99bfb87d0789", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "exitCode": 1, "finishedAt": "2026-05-11T11:31:59Z", "message": "Step use-trusted-artifact terminated as pod test-comp-uhww-on-pull-request-r266g-sast-unicode-check-pod is terminated", "reason": "TaskRunImagePullFailed", "startedAt": "2026-05-11T11:30:10Z" }, "terminationReason": "TaskRunImagePullFailed" }, { "container": "step-sast-unicode-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "sast-unicode-check", "provenance": {}, "terminated": { "exitCode": 1, "finishedAt": "2026-05-11T11:31:59Z", "message": "Step sast-unicode-check terminated as pod test-comp-uhww-on-pull-request-r266g-sast-unicode-check-pod is terminated", "reason": "TaskRunImagePullFailed", "startedAt": "2026-05-11T11:31:58Z" }, "terminationReason": "TaskRunImagePullFailed" }, { "container": "step-upload", "name": "upload", "provenance": {}, "terminated": { "exitCode": 1, "finishedAt": "2026-05-11T11:31:59Z", "message": "Step upload terminated as pod test-comp-uhww-on-pull-request-r266g-sast-unicode-check-pod is terminated", "reason": "TaskRunImagePullFailed", "startedAt": "2026-05-11T11:29:06Z" }, "terminationReason": "TaskRunImagePullFailed" } ], "taskSpec": { "description": "Scans source code for non-printable unicode characters in all text files.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "-p bidi -v -d -t", "description": "arguments for find-unicode-control command.", "name": "FIND_UNICODE_CONTROL_ARGS", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "description": "Image digest used for ORAS upload.", "name": "image-digest", "type": "string" }, { "description": "Image URL used for ORAS upload.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww@sha256:895bdd16ee180bd3e6cf7548d3a27dd123613720d3b16b0b7b80d8604fab7e2d=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "memory": "4Gi" } }, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "cpu": "100m", "memory": "4Gi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "FIND_UNICODE_CONTROL_ARGS", "value": "-p bidi -v -d -t" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_CODE_DIR", "value": "/var/workdir" }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-unicode-check", "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nOLD_IFS=\"$IFS\"\nIFS=\",\"\nfor d in $TARGET_DIRS; do\n ALL_TARGETS+=(\"${SOURCE_CODE_DIR}/source/${d}\")\ndone\nIFS=\"$OLD_IFS\"\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${ALL_TARGETS[@]}\" \\\n \u003eraw_sast_unicode_check_out.txt \\\n 2\u003eraw_sast_unicode_check_out.log ||\n FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n echo \"Failed to run find-unicode-control command\" \u003e\u00262\n cat raw_sast_unicode_check_out.log\n note=\"Task sast-unicode-check-oci-ta failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n note=\"Task sast-unicode-check-oci-ta failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n --mode=json\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"${SCAN_PROP}\"\n --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003eprocessed_sast_unicode_check_out.json 2\u003eprocessed_sast_unicode_check_out.err; then\n echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n cat processed_sast_unicode_check_out.err\n note=\"Task sast-unicode-check-oci-ta failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # Build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n # Append --record-excluded option if RECORD_EXCLUDED is true\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003esast_unicode_check_out.json 2\u003esast_unicode_check_out.error\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n else\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003esast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n note=\"Task sast-unicode-check-oci-ta success: No finding was detected\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s sast_unicode_check_out.sarif ]]; then\n note=\"Task sast-unicode-check-oci-ta success: Some findings were detected, but filtered by known false positive\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n echo \"sast-unicode-check test failed because of the following issues:\"\n cat sast_unicode_check_out.json\n TEST_OUTPUT=\n parse_test_output \"sast-unicode-check-oci-ta\" sarif sast_unicode_check_out.sarif || true\n note=\"Task sast-unicode-check-oci-ta failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-uhww:on-pr-eda963b758b539b162a95f37d86f0199680d7d45" }, { "name": "IMAGE_DIGEST", "value": "sha256:91a89605c36493c07d8e8dbe8fb903bd3a643cbaad768a0c1c4fdb0b2fa91ab8" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n echo 'No image-url param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n MEDIA_TYPE=application/json\n else\n MEDIA_TYPE=application/sarif+json\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"${IMAGE_URL}\" \u003e\"${HOME}/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=726ac6730c64bbf5a897e6018d22fa511feb646c", "build.appstudio.redhat.com/commit_sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "build.appstudio.redhat.com/pull_request_number": "17935", "build.appstudio.redhat.com/target_branch": "base-jqeskk", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-jqeskk", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343013006", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gkzwzl", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-umju-on-pull-request-fdxtg", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-jqeskk\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-umju-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17935", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-umju", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-umju", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/356257ba-6777-460b-bb97-7aa67bd2b5c6/records/3c8666ac-233d-471a-9b1c-9db59517ef28", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"726ac6730c64bbf5a897e6018d22fa511feb646c\",\"eventType\":\"pull_request\",\"pull_request-id\":17935}", "results.tekton.dev/result": "build-e2e-tkrv/results/356257ba-6777-460b-bb97-7aa67bd2b5c6", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-b6b0985f4450c2d8c0ca8a3405879fe9-8330e2a390284638-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-umju" }, "creationTimestamp": "2026-05-11T11:28:52Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-umju", "build.appstudio.redhat.com/build_type": "docker", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343013006", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-umju-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17935", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-umju-on-pull-request-fdxtg", "tekton.dev/pipelineRun": "test-comp-umju-on-pull-request-fdxtg", "tekton.dev/pipelineRunUID": "356257ba-6777-460b-bb97-7aa67bd2b5c6", "tekton.dev/pipelineTask": "build-container", "tekton.dev/task": "buildah-oci-ta-min", "test.appstudio.openshift.io/pr-group-sha": "98b93584a705e99e4d5b22287ceb032d175a28eb7be23d448a2d5fccc04ea5" }, "name": "test-comp-umju-on-pull-request-fdxtg-build-container", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-umju-on-pull-request-fdxtg", "uid": "356257ba-6777-460b-bb97-7aa67bd2b5c6" } ], "resourceVersion": "69387", "uid": "3c8666ac-233d-471a-9b1c-9db59517ef28" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c" }, { "name": "DOCKERFILE", "value": "docker/Dockerfile" }, { "name": "CONTEXT", "value": "." }, { "name": "HERMETIC", "value": "false" }, { "name": "PREFETCH_INPUT", "value": "" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "6h" }, { "name": "COMMIT_SHA", "value": "726ac6730c64bbf5a897e6018d22fa511feb646c" }, { "name": "BUILD_ARGS", "value": [] }, { "name": "BUILD_ARGS_FILE", "value": "" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SOURCE_URL", "value": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic" }, { "name": "BUILDAH_FORMAT", "value": "oci" }, { "name": "HTTP_PROXY", "value": "" }, { "name": "NO_PROXY", "value": "" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:56237a5d5b75f6c1ec9950ad6441484564bfa403c89e812e33019264fe182b25" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-umju", "taskRef": { "params": [ { "name": "name", "value": "buildah-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min:0.9@sha256:97c0d0ac1d508a70f8610c7dc79de453a990414fba7d7e0f8d21ec22f5796d96" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:33:14Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:33:14Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-umju-on-pull-request-fdxtg-build-container-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "97c0d0ac1d508a70f8610c7dc79de453a990414fba7d7e0f8d21ec22f5796d96" }, "entryPoint": "buildah-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min" } }, "results": [ { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c@sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c" }, { "name": "SBOM_BLOB_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:87d1bfc370adfcfc07f8062b1477c87653bd8cef7493c784cc5d05db2de1cf1f" } ], "spanContext": { "traceparent": "00-b6b0985f4450c2d8c0ca8a3405879fe9-8330e2a390284638-01" }, "startTime": "2026-05-11T11:28:52Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://d856a922e879adcd7c262486963e40d74b98156a6fa48b4e2fe34134365291f4", "exitCode": 0, "finishedAt": "2026-05-11T11:29:02Z", "reason": "Completed", "startedAt": "2026-05-11T11:29:01Z" }, "terminationReason": "Completed" }, { "container": "step-build", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "build", "provenance": {}, "terminated": { "containerID": "cri-o://2acc472bd48bdc84be795300c61b92d84e9b27527a2dd9bf7d40271cdb9f7b90", "exitCode": 0, "finishedAt": "2026-05-11T11:29:49Z", "reason": "Completed", "startedAt": "2026-05-11T11:29:03Z" }, "terminationReason": "Completed" }, { "container": "step-push", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "push", "provenance": {}, "terminated": { "containerID": "cri-o://ea3760768cc4dc000893f06e9049f72c0db957a6ca8b9899e60a1ef42d60c6ff", "exitCode": 0, "finishedAt": "2026-05-11T11:32:07Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c@sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:29:50Z" }, "terminationReason": "Completed" }, { "container": "step-sbom-syft-generate", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "sbom-syft-generate", "provenance": {}, "terminated": { "containerID": "cri-o://b26e6e870e9bd83366f74a3e2e7e22adfe0d8f1f53a20787ff584369f955ba1a", "exitCode": 0, "finishedAt": "2026-05-11T11:32:28Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c@sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:32:07Z" }, "terminationReason": "Completed" }, { "container": "step-prepare-sboms", "imageID": "quay.io/konflux-ci/mobster@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "provenance": {}, "terminated": { "containerID": "cri-o://bf56458fc2306fb5b604c2d72c099b25e7ae7d55b0ca966dfea9f11220d1cca7", "exitCode": 0, "finishedAt": "2026-05-11T11:32:49Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c@sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:32:28Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://3506a222346b25e73bf82ac93372a277dbf5853d87a72fd7211d4994f6a1012e", "exitCode": 0, "finishedAt": "2026-05-11T11:33:14Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c@sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:87d1bfc370adfcfc07f8062b1477c87653bd8cef7493c784cc5d05db2de1cf1f\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:32:49Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "default": [], "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings", "name": "ADDITIONAL_BASE_IMAGES", "type": "array" }, { "default": "does-not-exist", "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET", "name": "ADDITIONAL_SECRET", "type": "string" }, { "default": "", "description": "Comma separated list of extra capabilities to add when running 'buildah build'", "name": "ADD_CAPABILITIES", "type": "string" }, { "default": [], "description": "Additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS", "type": "array" }, { "default": "", "description": "Path to a file with additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS_FILE", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": [], "description": "Array of --build-arg values (\"arg=value\" strings)", "name": "BUILD_ARGS", "type": "array" }, { "default": "", "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file", "name": "BUILD_ARGS_FILE", "type": "string" }, { "default": "", "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.", "name": "BUILD_TIMESTAMP", "type": "string" }, { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "", "description": "The image is built from this commit.", "name": "COMMIT_SHA", "type": "string" }, { "default": ".", "description": "Path to the directory to use as context.", "name": "CONTEXT", "type": "string" }, { "default": "true", "description": "Determines if SBOM will be contextualized.", "name": "CONTEXTUALIZE_SBOM", "type": "string" }, { "default": "./Dockerfile", "description": "Path to the Dockerfile to build.", "name": "DOCKERFILE", "type": "string" }, { "default": "etc-pki-entitlement", "description": "Name of secret which contains the entitlement certificates", "name": "ENTITLEMENT_SECRET", "type": "string" }, { "default": [], "description": "Array of --env values (\"env=value\" strings)", "name": "ENV_VARS", "type": "array" }, { "default": "false", "description": "Determines if build will be executed without network access.", "name": "HERMETIC", "type": "string" }, { "default": "", "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.", "name": "HTTP_PROXY", "type": "string" }, { "default": "true", "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection", "name": "ICM_KEEP_COMPAT_LOCATION", "type": "string" }, { "description": "Reference of the image buildah will produce.", "name": "IMAGE", "type": "string" }, { "default": "", "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.", "name": "IMAGE_EXPIRES_AFTER", "type": "string" }, { "default": "true", "description": "Determines if the image inherits the base image labels.", "name": "INHERIT_BASE_IMAGE_LABELS", "type": "string" }, { "default": [], "description": "Additional key=value labels that should be applied to the image", "name": "LABELS", "type": "array" }, { "default": "", "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.", "name": "NO_PROXY", "type": "string" }, { "default": "false", "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.", "name": "OMIT_HISTORY", "type": "string" }, { "default": "", "description": "In case it is not empty, the prefetched content should be made available to the build.", "name": "PREFETCH_INPUT", "type": "string" }, { "default": "false", "description": "Whether to enable privileged mode, should be used only with remote VMs", "name": "PRIVILEGED_NESTED", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.", "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "caching-ca-bundle", "description": "The name of the ConfigMap to read proxy CA bundle data from.", "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "false", "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.", "name": "REWRITE_TIMESTAMP", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.", "name": "SBOM_SOURCE_SCAN_ENABLED", "type": "string" }, { "default": "", "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection", "name": "SBOM_SYFT_SELECT_CATALOGERS", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.", "name": "SBOM_TYPE", "type": "string" }, { "default": "false", "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.", "name": "SKIP_INJECTIONS", "type": "string" }, { "default": "false", "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled", "name": "SKIP_SBOM_GENERATION", "type": "string" }, { "default": "true", "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages", "name": "SKIP_UNUSED_STAGES", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "", "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.", "name": "SOURCE_DATE_EPOCH", "type": "string" }, { "default": "", "description": "The image is built from this URL.", "name": "SOURCE_URL", "type": "string" }, { "default": "false", "description": "Squash all new and previous layers added as a part of this build, as per --squash", "name": "SQUASH", "type": "string" }, { "default": "overlay", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "", "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.", "name": "TARGET_STAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "default": "", "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).", "name": "WORKINGDIR_MOUNT", "type": "string" }, { "default": "fetched.repos.d", "description": "Path in source workspace where dynamically-fetched repos are present", "name": "YUM_REPOS_D_FETCHED", "type": "string" }, { "default": "repos.d", "description": "Path in the git repository in which yum repository files are stored", "name": "YUM_REPOS_D_SRC", "type": "string" }, { "default": "/etc/yum.repos.d", "description": "Target path on the container in which yum repository files should be made available", "name": "YUM_REPOS_D_TARGET", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image reference of the built image", "name": "IMAGE_REF", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "ACTIVATION_KEY", "value": "activation-key" }, { "name": "ADDITIONAL_SECRET", "value": "does-not-exist" }, { "name": "ADD_CAPABILITIES" }, { "name": "ANNOTATIONS_FILE" }, { "name": "BUILD_ARGS_FILE" }, { "name": "BUILD_TIMESTAMP" }, { "name": "CONTEXT", "value": "." }, { "name": "CONTEXTUALIZE_SBOM", "value": "true" }, { "name": "ENTITLEMENT_SECRET", "value": "etc-pki-entitlement" }, { "name": "HERMETIC", "value": "false" }, { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "6h" }, { "name": "INHERIT_BASE_IMAGE_LABELS", "value": "true" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SBOM_SKIP_VALIDATION", "value": "true" }, { "name": "SBOM_SOURCE_SCAN_ENABLED", "value": "true" }, { "name": "SBOM_SYFT_SELECT_CATALOGERS" }, { "name": "SBOM_TYPE", "value": "spdx" }, { "name": "SKIP_INJECTIONS", "value": "false" }, { "name": "SKIP_SBOM_GENERATION", "value": "false" }, { "name": "SKIP_UNUSED_STAGES", "value": "true" }, { "name": "SOURCE_CODE_DIR", "value": "source" }, { "name": "SQUASH", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "overlay" }, { "name": "TARGET_STAGE" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "WORKINGDIR_MOUNT" }, { "name": "YUM_REPOS_D_FETCHED", "value": "fetched.repos.d" }, { "name": "YUM_REPOS_D_SRC", "value": "repos.d" }, { "name": "YUM_REPOS_D_TARGET", "value": "/etc/yum.repos.d" } ], "imagePullPolicy": "IfNotPresent", "volumeMounts": [ { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:56237a5d5b75f6c1ec9950ad6441484564bfa403c89e812e33019264fe182b25=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "args": [ "--build-args", "--env", "--labels", "--annotations" ], "computeResources": { "limits": { "cpu": "500m", "memory": "1Gi" }, "requests": { "cpu": "500m", "memory": "1Gi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "COMMIT_SHA", "value": "726ac6730c64bbf5a897e6018d22fa511feb646c" }, { "name": "SOURCE_URL", "value": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic" }, { "name": "DOCKERFILE", "value": "docker/Dockerfile" }, { "name": "BUILDAH_HTTP_PROXY" }, { "name": "BUILDAH_NO_PROXY" }, { "name": "ICM_KEEP_COMPAT_LOCATION", "value": "true" }, { "name": "BUILDAH_OMIT_HISTORY", "value": "false" }, { "name": "BUILDAH_SOURCE_DATE_EPOCH" }, { "name": "BUILDAH_REWRITE_TIMESTAMP", "value": "false" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "build", "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n fi\n fi\n}\n\nfunction unset_proxy {\n echo \"[$(date --utc -Ins)] Unsetting proxy\"\n unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n\"$source_dir_path\" | \"$source_dir_path/\"*)\n # path is valid, do nothing\n ;;\n*)\n echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n echo \"Source path: $source_dir_path\" \u003e\u00262\n echo \"Resolved path: $context_dir_path\" \u003e\u00262\n exit 1\n ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n # Instrumented builds (SAST) use this custom dockerfile step as their base\n dockerfile_path=\"$DOCKERFILE\"\nelse\n echo \"Cannot find Dockerfile $DOCKERFILE\"\n exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e/etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n while IFS= read -r line || [[ -n \"$line\" ]]; do\n # Skip empty lines and comments\n if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n ANNOTATIONS+=(\"--annotation\" \"$line\")\n fi\n done \u003c\"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --build-args)\n shift\n # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n build_args+=(\"$1\")\n shift\n done\n ;;\n --env)\n shift\n # Collect env entries of the form KEY=value\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n env_vars+=(\"$1\")\n shift\n done\n ;;\n --labels)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n LABELS+=(\"--label\" \"$1\")\n shift\n done\n ;;\n --annotations)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ANNOTATIONS+=(\"--annotation\" \"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e/shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--pull=never\")\n UNSHARE_ARGS+=(\"--net\")\n buildah_retries=3\n\n set_proxy\n\n for image in $BASE_IMAGES; do\n if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"; then\n echo \"Failed to pull base image ${image}\"\n exit 1\n fi\n done\n\n unset_proxy\n\n echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n BUILDAH_ARGS+=(\"--cap-add=all\")\n BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n fi\n if [ -n \"$BUILD_TIMESTAMP\" ]; then\n echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n exit 1\n fi\n # but do set it so that we get all the labels/annotations associated with it\n BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/var/workdir/cachi2/cachi2.env\" ]; then\n # Identify the current arch to filter the prefetched content\n PREFETCH_ARCH=\"$(uname -m)\"\n echo \"$PREFETCH_ARCH\" \u003e/shared/prefetch-arch\n\n echo \"Prefetched content will be made available\"\n\n cp -r \"/var/workdir/cachi2\" /tmp/\n chmod -R go+rwX /tmp/cachi2\n\n # In case RPMs were prefetched and this is a multi-arch build,\n # clean up the packages that do not match the architecture being built\n RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n echo \"Removing prefetched RPMs from non-matching architectures\"\n PREFETCH_ARCH=\"$(uname -m)\"\n for path in \"$RPM_PREFETCH_DIR\"/*; do\n if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n echo \"Removing: $path\"\n rm -rf \"$path\"\n else\n echo \"Keeping: $path\"\n fi\n done\n fi\n\n VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n sed -E -i \\\n -e 'H;1h;$!d;x' \\\n -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n @igM' \\\n \"$dockerfile_copy\"\n\n prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n mkdir -p \"$YUM_REPOS_D_FETCHED\"\n if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n fi\n fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n \"--label\" \"architecture=$(uname -m)\"\n \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n FINAL_BASE_IMAGE=$(\n # Get the base image of the final stage\n # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n # Run the find_root_stage() function on the final stage\n # If the final stage is scratch or oci-archive, return empty\n jq -r '.Stages as $all_stages |\n def find_root_stage($stage):\n if $stage.From.Stage then\n find_root_stage($all_stages[$stage.From.Stage.Index])\n else\n $stage\n end;\n\n find_root_stage(.Stages[-1]) |\n if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n empty\n else\n .BaseName\n end' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n )\n if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n set_proxy\n buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null$()\n unset_proxy\n buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n if [[ \"$label\" != \"--label\" ]]; then\n label_pairs+=(\"$label\")\n fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n echo \"\" \u003e\u003e\"$dockerfile_copy\"\n # Always write labels.json to the new standard location\n echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n # Conditionally write to the old location for backward compatibility\n if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n cp \"$containerignore\" \"$ignorefile_copy\"\n {\n echo \"\"\n echo \"!/labels.json\"\n echo \"!/content-sets.json\"\n } \u003e\u003e\"$ignorefile_copy\"\n BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n# to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n# shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n mkdir -p /shared/rhsm/etc/pki/entitlement\n mkdir -p /shared/rhsm/etc/pki/consumer\n\n VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key\n -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z\n -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n echo \"Adding activation key to the build\"\n\n if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n # user is not running registration in the Containerfile: pre-register.\n echo \"Pre-registering with subscription manager.\"\n export RETRY_MAX_TRIES=6\n if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"; then\n echo \"Subscription-manager register failed\"\n exit 1\n fi\n unset RETRY_MAX_TRIES\n trap 'subscription-manager unregister || true' EXIT\n\n # copy generated certificates to /shared volume\n cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e/dev/null; then\n cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n exit 1\n fi\n # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n # (we set the workdir using 'unshare -w')\n context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n # Instrumented builds (SAST) use this step as their base and add some other tools.\n while read -r volume_mount; do\n VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n done \u003c\u003c\u003c\"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n while read -r filename; do\n echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n buildah build\n \"${VOLUME_MOUNTS[@]}\"\n \"${BUILDAH_ARGS[@]}\"\n \"${LABELS[@]}\"\n \"${ANNOTATIONS[@]}\"\n --tls-verify=\"$TLSVERIFY\" --no-cache\n --ulimit nofile=4096:4096\n --http-proxy=false\n -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n echo \"Making copy of sbom-prefetch.json\"\n cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n # Get the image pullspec and filter out a tag if it is not set\n # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n # if buildah did not use that particular image during build because it was skipped\n if [ -n \"$base_image_digest\" ]; then\n echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci:$IMAGE\"\necho \"/shared/$image_name.oci\" \u003e/shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/entitlement", "name": "etc-pki-entitlement" }, { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/additional-secret", "name": "additional-secret" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/proxy-ca-bundle", "name": "proxy-ca-bundle", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "BUILDAH_FORMAT", "value": "oci" }, { "name": "TASKRUN_NAME", "value": "test-comp-umju-on-pull-request-fdxtg-build-container" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "push", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n \"$IMAGE\" \\\n \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"; then\n echo \"Failed to push image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile \"/var/workdir/image-digest\" \"$IMAGE\" \\\n \"docker://$IMAGE\"; then\n echo \"Failed to push image to $IMAGE\"\n exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c\"/var/workdir\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n echo -n \"${IMAGE}@\"\n cat \"/var/workdir/image-digest\"\n} \u003e\"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"; then\n echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n [rekorInternalUrl]=REKOR_URL\n [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n [rekorInternalUrl]=rekorExternalUrl\n [fulcioInternalUrl]=fulcioExternalUrl\n [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n if [ -n \"${val}\" ]; then\n echo \"Using fallback ${fallback_key} instead of ${key}\"\n fi\n fi\n if [ -z \"${val}\" ]; then\n missing=\"${missing:+${missing}, }${key}\"\n else\n declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n configured=$((configured + 1))\n fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n echo \"Keyless signing is enabled\"\n\n # Save signing config for upload-sbom step\n for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n envvar=\"${SIGNING_KEY_MAP[$key]}\"\n printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n done \u003e/shared/signing-config.env\n\n echo \"Using Rekor URL: ${REKOR_URL}\"\n echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n echo \"[$(date --utc -Ins)] Sign image\"\n echo \"Signing image ${IMAGE_REF} using keyless signing\"\n if ! retry cosign sign -y \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign image\" \u003e\u00262\n exit 1\n fi\nelif [ \"${configured}\" -eq 0 ]; then\n echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "256m", "memory": "512Mi" }, "requests": { "cpu": "256m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "sbom-syft-generate", "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\ncase $SBOM_TYPE in\ncyclonedx)\n syft_sbom_type=cyclonedx-json@1.5\n ;;\nspdx)\n syft_sbom_type=spdx-json@2.3\n ;;\n*)\n echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n exit 1\n ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n oci-dir:\"${OCI_DIR}\"\n --output \"$syft_sbom_type=/var/workdir/sbom-image.json\"\n)\nsyft_source_args=(\n dir:\"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT\"\n --output \"$syft_sbom_type=/var/workdir/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n echo \"Running syft on the source code\"\n syft \"${syft_source_args[@]}\"\nelse\n echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" }, { "args": [ "--additional-base-images" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.2.0-1774868067@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --additional-base-images)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ADDITIONAL_BASE_IMAGES+=(\"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n generate\n --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-image\n --from-syft \"/var/workdir/sbom-image.json\"\n --image-pullspec \"$IMAGE_URL\"\n --image-digest \"$IMAGE_DIGEST\"\n --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/var/workdir/sbom-source.json\" ]; then\n mobster_args+=(--from-syft \"/var/workdir/sbom-source.json\")\nfi\n\nif [ -f \"/var/workdir/sbom-prefetch.json\" ]; then\n mobster_args+=(--from-hermeto \"/var/workdir/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n", "securityContext": { "runAsUser": 0 }, "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"; then\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n # shellcheck source=/dev/null\n source /shared/signing-config.env\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n # spdx export data as rawstring, we want structured json as cyclonedx\n ATT_SBOM_TYPE=\"spdxjson\"\n fi\n\n echo \"[$(date --utc -Ins)] Sign SBOM\"\n echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign SBOM\" \u003e\u00262\n exit 1\n fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "name": "additional-secret", "secret": { "optional": true, "secretName": "does-not-exist" } }, { "name": "etc-pki-entitlement", "secret": { "optional": true, "secretName": "etc-pki-entitlement" } }, { "name": "oidc-token", "projected": { "sources": [ { "serviceAccountToken": { "audience": "sigstore", "expirationSeconds": 600, "path": "oidc-token" } } ] } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "caching-ca-bundle", "optional": true }, "name": "proxy-ca-bundle" }, { "emptyDir": {}, "name": "shared" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "varlibcontainers" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=726ac6730c64bbf5a897e6018d22fa511feb646c", "build.appstudio.redhat.com/commit_sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "build.appstudio.redhat.com/pull_request_number": "17935", "build.appstudio.redhat.com/target_branch": "base-jqeskk", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-jqeskk", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343013006", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gkzwzl", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-umju-on-pull-request-fdxtg", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-jqeskk\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-umju-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17935", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-umju", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-umju", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/356257ba-6777-460b-bb97-7aa67bd2b5c6/records/f1f853c1-ad57-4035-88f4-87c710018410", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"726ac6730c64bbf5a897e6018d22fa511feb646c\",\"eventType\":\"pull_request\",\"pull_request-id\":17935}", "results.tekton.dev/result": "build-e2e-tkrv/results/356257ba-6777-460b-bb97-7aa67bd2b5c6", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-b6b0985f4450c2d8c0ca8a3405879fe9-0525b1e0fe9fdc58-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-umju" }, "creationTimestamp": "2026-05-11T11:33:15Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-umju", "build.appstudio.redhat.com/build_type": "docker", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343013006", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-umju-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17935", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-umju-on-pull-request-fdxtg", "tekton.dev/pipelineRun": "test-comp-umju-on-pull-request-fdxtg", "tekton.dev/pipelineRunUID": "356257ba-6777-460b-bb97-7aa67bd2b5c6", "tekton.dev/pipelineTask": "build-image-index", "tekton.dev/task": "build-image-index-min", "test.appstudio.openshift.io/pr-group-sha": "98b93584a705e99e4d5b22287ceb032d175a28eb7be23d448a2d5fccc04ea5" }, "name": "test-comp-umju-on-pull-request-fdxtg-build-image-index", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-umju-on-pull-request-fdxtg", "uid": "356257ba-6777-460b-bb97-7aa67bd2b5c6" } ], "resourceVersion": "71158", "uid": "f1f853c1-ad57-4035-88f4-87c710018410" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "IMAGES", "value": [ "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c@sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2" ] }, { "name": "BUILDAH_FORMAT", "value": "oci" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-umju", "taskRef": { "params": [ { "name": "name", "value": "build-image-index-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index-min:0.3@sha256:fbb362f21e559606f8941cde6a2c0507c8af6cfc8bee88ffc38032e8e80b4b7e" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:34:16Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:34:16Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-umju-on-pull-request-fdxtg-build-image-index-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "fbb362f21e559606f8941cde6a2c0507c8af6cfc8bee88ffc38032e8e80b4b7e" }, "entryPoint": "build-image-index-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index-min" } }, "results": [ { "name": "IMAGES", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2" }, { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c" } ], "spanContext": { "traceparent": "00-b6b0985f4450c2d8c0ca8a3405879fe9-0525b1e0fe9fdc58-01" }, "startTime": "2026-05-11T11:33:16Z", "steps": [ { "container": "step-build", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "build", "provenance": {}, "terminated": { "containerID": "cri-o://50dec23d5e5e0de7d77b6b8d073285a4fc5adea975fb6f0f38ebd232b09fc7e9", "exitCode": 0, "finishedAt": "2026-05-11T11:34:15Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:33:50Z" }, "terminationReason": "Completed" }, { "container": "step-create-sbom", "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094", "name": "create-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://25e711443f63df5c6cf6fc258cb7cd3a7c7dfe7400e7bedfe2cd0b89c7e61053", "exitCode": 0, "finishedAt": "2026-05-11T11:34:15Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:33:52Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://f8f1ff396fc321f1ba348f6cc6358cb58b0fb9eea64bf97372f5e74b9c497df4", "exitCode": 0, "finishedAt": "2026-05-11T11:34:15Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:33:53Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "This takes existing Image Manifests and combines them in an Image Index.", "params": [ { "description": "The target image and tag where the image will be pushed to.", "name": "IMAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "description": "List of Image Manifests to be referenced by the Image Index", "name": "IMAGES", "type": "array" }, { "default": "true", "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.", "name": "ALWAYS_BUILD_INDEX", "type": "string" }, { "default": "vfs", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": "false", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "List of all referenced image manifests", "name": "IMAGES", "type": "string" }, { "description": "Image reference of the built image containing both the repository and the digest", "name": "IMAGE_REF", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "BUILDAH_FORMAT", "value": "oci" }, { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "vfs" } ], "volumeMounts": [ { "mountPath": "/index-build-data", "name": "shared-dir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c@sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/konflux-build-cli:latest@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "build", "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\n\necho \"Running konflux-build-cli\"\nif ! konflux-build-cli image build-image-index \\\n --image \"$IMAGE\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --buildah-format \"$BUILDAH_FORMAT\" \\\n --always-build-index=\"$ALWAYS_BUILD_INDEX\" \\\n --additional-tags \"test-comp-umju-on-pull-request-fdxtg-build-image-index\" \\\n --output-manifest-path \"$MANIFEST_DATA_FILE\" \\\n --result-path-image-digest \"/tekton/results/IMAGE_DIGEST\" \\\n --result-path-image-url \"/tekton/results/IMAGE_URL\" \\\n --result-path-image-ref \"/tekton/results/IMAGE_REF\" \\\n --result-path-images \"/tekton/results/IMAGES\" \\\n --images \"$@\"; then\n echo \"Failed to build image index\"\n exit 1\nfi\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 } }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094", "name": "create-sbom", "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-index\n --index-image-pullspec \"$IMAGE_URL\"\n --index-image-digest \"$IMAGE_DIGEST\"\n --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 } } ], "volumes": [ { "emptyDir": {}, "name": "shared-dir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=726ac6730c64bbf5a897e6018d22fa511feb646c", "build.appstudio.redhat.com/commit_sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "build.appstudio.redhat.com/pull_request_number": "17935", "build.appstudio.redhat.com/target_branch": "base-jqeskk", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-jqeskk", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343013006", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gkzwzl", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-umju-on-pull-request-fdxtg", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-jqeskk\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-umju-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17935", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-umju", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-umju", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/356257ba-6777-460b-bb97-7aa67bd2b5c6/records/d8e57774-31a3-424d-8b96-2d19015c23bb", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"726ac6730c64bbf5a897e6018d22fa511feb646c\",\"eventType\":\"pull_request\",\"pull_request-id\":17935}", "results.tekton.dev/result": "build-e2e-tkrv/results/356257ba-6777-460b-bb97-7aa67bd2b5c6", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "virus, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-b6b0985f4450c2d8c0ca8a3405879fe9-04fa82aef86a4a29-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-umju" }, "creationTimestamp": "2026-05-11T11:34:17Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-umju", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343013006", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-umju-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17935", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-umju-on-pull-request-fdxtg", "tekton.dev/pipelineRun": "test-comp-umju-on-pull-request-fdxtg", "tekton.dev/pipelineRunUID": "356257ba-6777-460b-bb97-7aa67bd2b5c6", "tekton.dev/pipelineTask": "clamav-scan", "tekton.dev/task": "clamav-scan-min", "test.appstudio.openshift.io/pr-group-sha": "98b93584a705e99e4d5b22287ceb032d175a28eb7be23d448a2d5fccc04ea5" }, "name": "test-comp-umju-on-pull-request-fdxtg-clamav-scan", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-umju-on-pull-request-fdxtg", "uid": "356257ba-6777-460b-bb97-7aa67bd2b5c6" } ], "resourceVersion": "77850", "uid": "d8e57774-31a3-424d-8b96-2d19015c23bb" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-umju", "taskRef": { "params": [ { "name": "name", "value": "clamav-scan-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min:0.3@sha256:589e34f73d310aa993c9761d8b78265a904a121028bda2809d8a2d0500454bd8" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:37:25Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:37:25Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-umju-on-pull-request-fdxtg-clamav-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "589e34f73d310aa993c9761d8b78265a904a121028bda2809d8a2d0500454bd8" }, "entryPoint": "clamav-scan-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c\", \"digests\": [\"sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"timestamp\":\"1778499442\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n" } ], "spanContext": { "traceparent": "00-b6b0985f4450c2d8c0ca8a3405879fe9-04fa82aef86a4a29-01" }, "startTime": "2026-05-11T11:34:17Z", "steps": [ { "container": "step-extract-and-scan-image", "imageID": "quay.io/konflux-ci/clamav-db@sha256:83085885f6c81f58dc642c8be1e2a8a3c46410ff0b084005a13b20078485405d", "name": "extract-and-scan-image", "provenance": {}, "terminated": { "containerID": "cri-o://8f6c968d84f334097b894456a90468c4ce77ec167ef85dd5d3f3364375179a25", "exitCode": 0, "finishedAt": "2026-05-11T11:37:22Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c\\\", \\\"digests\\\": [\\\"sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1778499442\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:34:22Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "upload", "provenance": {}, "terminated": { "containerID": "cri-o://de36f63bc911e6c8e8a06a08e1c96213566841d192efadeddd93719b20869f98", "exitCode": 0, "finishedAt": "2026-05-11T11:37:25Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c\\\", \\\"digests\\\": [\\\"sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1778499442\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:37:22Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "Image arch.", "name": "image-arch", "type": "string" }, { "default": "", "description": "unused", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "8", "description": "Maximum number of threads clamd runs.", "name": "clamd-max-threads", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-upload", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "512m", "memory": "3Gi" }, "requests": { "cpu": "512m", "memory": "3Gi" } }, "env": [ { "name": "HOME", "value": "/work" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c" }, { "name": "IMAGE_DIGEST", "value": "sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2" }, { "name": "IMAGE_ARCH" }, { "name": "MAX_THREADS", "value": "8" } ], "image": "quay.io/konflux-ci/clamav-db:latest", "name": "extract-and-scan-image", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n mkdir -p ~/.docker\n echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n# $1: destination - path to the content to scan\n# $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n# $3: digest - digest to add to digests_processed array\n# $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n local destination=\"$1\"\n local suffix=\"$2\"\n local digest=\"$3\"\n local scan_message=\"${4:-Scanning content}\"\n\n db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n echo \"$scan_message. This operation may take a while.\"\n clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n digests_processed+=(\"\\\"$digest\\\"\")\n\n if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n # OPA/EC requires structured data input, add clamAV log into json\n jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o json \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o appstudio \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n\n if [ -n \"$raw_manifest\" ]; then\n media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n # Determine if this is an OCI artifact (not a container image)\n # OCI artifacts typically have:\n # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n # - An explicit artifactType field that is not a container image type\n is_oci_artifact=false\n\n # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n is_oci_artifact=true\n fi\n\n # Check if artifactType is set and is not a container image type\n if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n is_oci_artifact=true\n fi\n\n if [ \"$is_oci_artifact\" = true ]; then\n # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n # This looks like a container image manifest, but get_image_manifests failed\n echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n note=\"Task clamav-scan-min failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n else\n # Likely an OCI artifact with non-standard media type\n echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n fi\n else\n echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n note=\"Task clamav-scan-min failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n echo \"Detected container image. Processing image manifests.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n # Proceed only if a specific arch is provided.\n # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n if [ -n \"$IMAGE_ARCH\" ]; then\n arch=\"${IMAGE_ARCH#*/}\"\n if [ \"${arch}\" = \"x86_64\" ]; then\n arch=\"amd64\"\n fi\n\n # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n arch=\"amd64\"\n ;;\n esac\n\n image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n fi\n\n while read -r arch arch_sha; do\n destination=$(echo content-$arch)\n mkdir -p \"$destination\"\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n if [ $? -ne 0 ]; then\n echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n exit 0\n fi\n\n # Scan and process container image for this architecture\n scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n {\n \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n \"namespace\" : $item.namespace,\n \"successes\" : (.successes + $item.successes),\n \"failures\" : (.failures + $item.failures),\n \"warnings\" : (.warnings + $item.warnings),\n \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_UPLOAD", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c" }, { "name": "IMAGE_DIGEST", "value": "sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n echo \"Upload skipped by parameter.\"\n exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n MEDIA_TYPE=text/vnd.clamav\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n MEDIA_TYPE=application/vnd.konflux.test_output+json\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n echo \"No files found. Skipping upload.\"\n exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n", "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" } ], "volumes": [ { "emptyDir": {}, "name": "dbfolder" }, { "emptyDir": {}, "name": "work" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=726ac6730c64bbf5a897e6018d22fa511feb646c", "build.appstudio.redhat.com/commit_sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "build.appstudio.redhat.com/pull_request_number": "17935", "build.appstudio.redhat.com/target_branch": "base-jqeskk", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-jqeskk", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343013006", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gkzwzl", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-umju-on-pull-request-fdxtg", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-jqeskk\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-umju-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17935", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-umju", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-umju", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/356257ba-6777-460b-bb97-7aa67bd2b5c6/records/31baef2a-d78b-4a24-a7df-be264238684c", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"726ac6730c64bbf5a897e6018d22fa511feb646c\",\"eventType\":\"pull_request\",\"pull_request-id\":17935}", "results.tekton.dev/result": "build-e2e-tkrv/results/356257ba-6777-460b-bb97-7aa67bd2b5c6", "results.tekton.dev/stored": "true", "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone oci trusted artifacts", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-b6b0985f4450c2d8c0ca8a3405879fe9-6ec40ca98884b2eb-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-umju" }, "creationTimestamp": "2026-05-11T11:27:17Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-umju", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343013006", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-umju-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17935", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-umju-on-pull-request-fdxtg", "tekton.dev/pipelineRun": "test-comp-umju-on-pull-request-fdxtg", "tekton.dev/pipelineRunUID": "356257ba-6777-460b-bb97-7aa67bd2b5c6", "tekton.dev/pipelineTask": "clone-repository", "tekton.dev/task": "git-clone-oci-ta-min", "test.appstudio.openshift.io/pr-group-sha": "98b93584a705e99e4d5b22287ceb032d175a28eb7be23d448a2d5fccc04ea5" }, "name": "test-comp-umju-on-pull-request-fdxtg-clone-repository", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-umju-on-pull-request-fdxtg", "uid": "356257ba-6777-460b-bb97-7aa67bd2b5c6" } ], "resourceVersion": "59447", "uid": "31baef2a-d78b-4a24-a7df-be264238684c" }, "spec": { "params": [ { "name": "url", "value": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic" }, { "name": "revision", "value": "726ac6730c64bbf5a897e6018d22fa511feb646c" }, { "name": "ociStorage", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c.git" }, { "name": "ociArtifactExpiresAfter", "value": "6h" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-umju", "taskRef": { "params": [ { "name": "name", "value": "git-clone-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min:0.1@sha256:ad1487d03967da7e9e032ba47b094ebf7e46c8e6f5d47faa9f8c15e1617fb208" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "basic-auth", "secret": { "secretName": "pac-gitauth-gkzwzl" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:28:03Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:28:03Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-umju-on-pull-request-fdxtg-clone-repository-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "ad1487d03967da7e9e032ba47b094ebf7e46c8e6f5d47faa9f8c15e1617fb208" }, "entryPoint": "git-clone-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min" } }, "results": [ { "name": "CHAINS-GIT_COMMIT", "type": "string", "value": "726ac6730c64bbf5a897e6018d22fa511feb646c" }, { "name": "CHAINS-GIT_URL", "type": "string", "value": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic" }, { "name": "commit", "type": "string", "value": "726ac6730c64bbf5a897e6018d22fa511feb646c" }, { "name": "commit-timestamp", "type": "string", "value": "1778498819" }, { "name": "short-commit", "type": "string", "value": "726ac67" }, { "name": "url", "type": "string", "value": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:56237a5d5b75f6c1ec9950ad6441484564bfa403c89e812e33019264fe182b25" } ], "spanContext": { "traceparent": "00-b6b0985f4450c2d8c0ca8a3405879fe9-6ec40ca98884b2eb-01" }, "startTime": "2026-05-11T11:27:17Z", "steps": [ { "container": "step-clone", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "provenance": {}, "terminated": { "containerID": "cri-o://ac46c61898504642178bfbb995fc17623fe51c636b502f8f69a73da2b672c1ae", "exitCode": 0, "finishedAt": "2026-05-11T11:27:32Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"726ac6730c64bbf5a897e6018d22fa511feb646c\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/devfile-sample-python-basic\",\"type\":1},{\"key\":\"commit\",\"value\":\"726ac6730c64bbf5a897e6018d22fa511feb646c\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778498819\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"726ac67\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/devfile-sample-python-basic\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:27:32Z" }, "terminationReason": "Completed" }, { "container": "step-symlink-check", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "provenance": {}, "terminated": { "containerID": "cri-o://663f7d359e6528ec8e4c28b9ec3983331756c8d80e634394d277ad22a7fc0f62", "exitCode": 0, "finishedAt": "2026-05-11T11:27:33Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"726ac6730c64bbf5a897e6018d22fa511feb646c\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/devfile-sample-python-basic\",\"type\":1},{\"key\":\"commit\",\"value\":\"726ac6730c64bbf5a897e6018d22fa511feb646c\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778498819\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"726ac67\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/devfile-sample-python-basic\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:27:33Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "create-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://80567833bc41c8677d590267870d51c3e8b400e75b5ed51508500552f18081f8", "exitCode": 0, "finishedAt": "2026-05-11T11:28:03Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"726ac6730c64bbf5a897e6018d22fa511feb646c\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/devfile-sample-python-basic\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:56237a5d5b75f6c1ec9950ad6441484564bfa403c89e812e33019264fe182b25\",\"type\":1},{\"key\":\"commit\",\"value\":\"726ac6730c64bbf5a897e6018d22fa511feb646c\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778498819\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"726ac67\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/devfile-sample-python-basic\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:27:34Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted artifact in the provided OCI repository.", "params": [ { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" } ], "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "PARAM_URL", "value": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic" }, { "name": "PARAM_REVISION", "value": "726ac6730c64bbf5a897e6018d22fa511feb646c" }, { "name": "PARAM_REFSPEC" }, { "name": "PARAM_SUBMODULES", "value": "true" }, { "name": "PARAM_SUBMODULE_PATHS" }, { "name": "PARAM_DEPTH", "value": "1" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "7" }, { "name": "PARAM_SSL_VERIFY", "value": "true" }, { "name": "PARAM_HTTP_PROXY" }, { "name": "PARAM_HTTPS_PROXY" }, { "name": "PARAM_NO_PROXY" }, { "name": "PARAM_VERBOSE", "value": "false" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES" }, { "name": "PARAM_USER_HOME", "value": "/tekton/home" }, { "name": "PARAM_FETCH_TAGS", "value": "false" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "false" }, { "name": "PARAM_TARGET_BRANCH", "value": "main" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL" }, { "name": "PARAM_MERGE_SOURCE_DEPTH" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "false" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "true" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH", "value": "/workspace/basic-auth" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ]; then\n set -x\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ]; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e\"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e\"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ]; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n\n if ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit 1\n fi\n\n # Check if there are changes staged for commit\n if git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\n else\n echo \"Merge successful (no conflicts found), committing...\"\n if ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit 1\n fi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e\"/tekton/results/merged_sha\"\n fi\n\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e\"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e\"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ]; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "true" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink; do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ]; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ]; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "args": [ "create", "--store", "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c.git", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "6h" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "create-trusted-artifact", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=726ac6730c64bbf5a897e6018d22fa511feb646c", "build.appstudio.redhat.com/commit_sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "build.appstudio.redhat.com/pull_request_number": "17935", "build.appstudio.redhat.com/target_branch": "base-jqeskk", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-jqeskk", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343013006", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gkzwzl", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-umju-on-pull-request-fdxtg", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-jqeskk\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-umju-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17935", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-umju", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-umju", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/356257ba-6777-460b-bb97-7aa67bd2b5c6/records/a1ccb058-b0de-44af-b689-69f373b0c00a", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"726ac6730c64bbf5a897e6018d22fa511feb646c\",\"eventType\":\"pull_request\",\"pull_request-id\":17935}", "results.tekton.dev/result": "build-e2e-tkrv/results/356257ba-6777-460b-bb97-7aa67bd2b5c6", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-b6b0985f4450c2d8c0ca8a3405879fe9-3d2e0496fd9ed574-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-umju" }, "creationTimestamp": "2026-05-11T11:27:10Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-umju", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343013006", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-umju-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17935", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-umju-on-pull-request-fdxtg", "tekton.dev/pipelineRun": "test-comp-umju-on-pull-request-fdxtg", "tekton.dev/pipelineRunUID": "356257ba-6777-460b-bb97-7aa67bd2b5c6", "tekton.dev/pipelineTask": "init", "tekton.dev/task": "init", "test.appstudio.openshift.io/pr-group-sha": "98b93584a705e99e4d5b22287ceb032d175a28eb7be23d448a2d5fccc04ea5" }, "name": "test-comp-umju-on-pull-request-fdxtg-init", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-umju-on-pull-request-fdxtg", "uid": "356257ba-6777-460b-bb97-7aa67bd2b5c6" } ], "resourceVersion": "57296", "uid": "a1ccb058-b0de-44af-b689-69f373b0c00a" }, "spec": { "params": [ { "name": "enable-cache-proxy", "value": "false" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-umju", "taskRef": { "params": [ { "name": "name", "value": "init" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:27:16Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:27:16Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-umju-on-pull-request-fdxtg-init-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08" }, "entryPoint": "init", "uri": "quay.io/konflux-ci/tekton-catalog/task-init" } }, "results": [ { "name": "http-proxy", "type": "string", "value": "" }, { "name": "no-proxy", "type": "string", "value": "" } ], "spanContext": { "traceparent": "00-b6b0985f4450c2d8c0ca8a3405879fe9-3d2e0496fd9ed574-01" }, "startTime": "2026-05-11T11:27:10Z", "steps": [ { "container": "step-init", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "init", "provenance": {}, "terminated": { "containerID": "cri-o://b42f63e7c837ca29607f49dd75c873475dfeb77075d777fe9a71922f9517318e", "exitCode": 0, "finishedAt": "2026-05-11T11:27:15Z", "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:27:15Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.", "params": [ { "default": "false", "description": "Enable cache proxy configuration", "name": "enable-cache-proxy", "type": "string" } ], "results": [ { "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)", "name": "http-proxy", "type": "string" }, { "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)", "name": "no-proxy", "type": "string" } ], "steps": [ { "args": [ "--enable", "false" ], "command": [ "konflux-build-cli", "config", "cache-proxy" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" }, { "name": "DEFAULT_HTTP_PROXY", "value": "squid.caching.svc.cluster.local:3128" }, { "name": "DEFAULT_NO_PROXY", "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai" }, { "name": "HTTP_PROXY_RESULTS_PATH", "value": "/tekton/results/http-proxy" }, { "name": "NO_PROXY_RESULTS_PATH", "value": "/tekton/results/no-proxy" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "init" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=726ac6730c64bbf5a897e6018d22fa511feb646c", "build.appstudio.redhat.com/commit_sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "build.appstudio.redhat.com/pull_request_number": "17935", "build.appstudio.redhat.com/target_branch": "base-jqeskk", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-jqeskk", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343013006", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gkzwzl", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-umju-on-pull-request-fdxtg", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-jqeskk\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-umju-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17935", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-umju", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-umju", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/356257ba-6777-460b-bb97-7aa67bd2b5c6/records/55e776fe-d05f-48df-8859-8908178888c2", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"726ac6730c64bbf5a897e6018d22fa511feb646c\",\"eventType\":\"pull_request\",\"pull_request-id\":17935}", "results.tekton.dev/result": "build-e2e-tkrv/results/356257ba-6777-460b-bb97-7aa67bd2b5c6", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-b6b0985f4450c2d8c0ca8a3405879fe9-d738440eb267b108-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-umju" }, "creationTimestamp": "2026-05-11T11:28:04Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-umju", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343013006", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-umju-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17935", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-umju-on-pull-request-fdxtg", "tekton.dev/pipelineRun": "test-comp-umju-on-pull-request-fdxtg", "tekton.dev/pipelineRunUID": "356257ba-6777-460b-bb97-7aa67bd2b5c6", "tekton.dev/pipelineTask": "prefetch-dependencies", "tekton.dev/task": "prefetch-dependencies-oci-ta-min", "test.appstudio.openshift.io/pr-group-sha": "98b93584a705e99e4d5b22287ceb032d175a28eb7be23d448a2d5fccc04ea5" }, "name": "test-comp-umju-on-pull-request-fdxtg-prefetch-dependencies", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-umju-on-pull-request-fdxtg", "uid": "356257ba-6777-460b-bb97-7aa67bd2b5c6" } ], "resourceVersion": "61438", "uid": "55e776fe-d05f-48df-8859-8908178888c2" }, "spec": { "params": [ { "name": "input", "value": "" }, { "name": "enable-package-registry-proxy", "value": "true" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:56237a5d5b75f6c1ec9950ad6441484564bfa403c89e812e33019264fe182b25" }, { "name": "ociStorage", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c.prefetch" }, { "name": "ociArtifactExpiresAfter", "value": "6h" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-umju", "taskRef": { "params": [ { "name": "name", "value": "prefetch-dependencies-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min:0.3@sha256:af12fee3a119b4099d18e19f81cd963a4077dc941da9e28ba82e43f656a65929" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "git-basic-auth", "secret": { "secretName": "pac-gitauth-gkzwzl" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:28:52Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:28:52Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-umju-on-pull-request-fdxtg-prefetch-dependencies-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "af12fee3a119b4099d18e19f81cd963a4077dc941da9e28ba82e43f656a65929" }, "entryPoint": "prefetch-dependencies-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min" } }, "results": [ { "name": "CACHI2_ARTIFACT", "type": "string", "value": "" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:56237a5d5b75f6c1ec9950ad6441484564bfa403c89e812e33019264fe182b25" } ], "spanContext": { "traceparent": "00-b6b0985f4450c2d8c0ca8a3405879fe9-d738440eb267b108-01" }, "startTime": "2026-05-11T11:28:04Z", "steps": [ { "container": "step-skip-ta", "imageID": "registry.access.redhat.com/ubi9/ubi-minimal@sha256:8d0a8fb39ec907e8ca62cdd24b62a63ca49a30fe465798a360741fde58437a23", "name": "skip-ta", "provenance": {}, "terminated": { "containerID": "cri-o://9d45e48b6628e97af01a536d3222812ffad3d8b3f50acd5bafbce5b3f46dbcbb", "exitCode": 0, "finishedAt": "2026-05-11T11:28:09Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:56237a5d5b75f6c1ec9950ad6441484564bfa403c89e812e33019264fe182b25\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:09Z" }, "terminationReason": "Completed" }, { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://4bc0bf794f82cd812c641b5217d63c2014e4900424f80b68b1f04a8308c2a9de", "exitCode": 0, "finishedAt": "2026-05-11T11:28:10Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:56237a5d5b75f6c1ec9950ad6441484564bfa403c89e812e33019264fe182b25\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:10Z" }, "terminationReason": "Completed" }, { "container": "step-prefetch-dependencies", "imageID": "quay.io/konflux-ci/hermeto@sha256:4899755ffd1574547102a58469aea916822c7fd7825cbec8e477e1b57668a6d7", "name": "prefetch-dependencies", "provenance": {}, "terminated": { "containerID": "cri-o://aadd3f27f35875b9d1edb16ac6bd0becb5163b1d39c10bdcc74df271aead6cac", "exitCode": 0, "finishedAt": "2026-05-11T11:28:50Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:56237a5d5b75f6c1ec9950ad6441484564bfa403c89e812e33019264fe182b25\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:10Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "create-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://7c7fa78bc441149287c346c9574c6c43631dbf726cbe5044fd285e5cbe213afa", "exitCode": 0, "finishedAt": "2026-05-11T11:28:51Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:56237a5d5b75f6c1ec9950ad6441484564bfa403c89e812e33019264fe182b25\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:51Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Task that prefetches project dependencies for hermetic build.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "default": "service-ca.crt", "description": "The name of the key in the ConfigMap that contains the service CA bundle data. Used to verify TLS connections to in-cluster services such as the package registry proxy.", "name": "SERVICE_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "openshift-service-ca.crt", "description": "The name of the ConfigMap to read service CA bundle data from. Used to verify TLS connections to in-cluster services such as the package registry proxy.", "name": "SERVICE_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n", "name": "config-file-content", "type": "string" }, { "default": "true", "description": "Use the package registry proxy when prefetching dependencies", "name": "enable-package-registry-proxy", "type": "string" }, { "description": "Configures project packages that will have their dependencies prefetched.", "name": "input", "type": "string" }, { "default": "debug", "description": "Set the logging level (debug, info, warn, error, fatal).", "name": "log-level", "type": "string" }, { "default": "strict", "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).", "name": "mode", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.", "name": "sbom-type", "type": "string" } ], "results": [ { "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "computeResources": {}, "env": [ { "name": "INPUT" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:56237a5d5b75f6c1ec9950ad6441484564bfa403c89e812e33019264fe182b25" } ], "image": "registry.access.redhat.com/ubi9/ubi-minimal:9.7-1777857961@sha256:8d0a8fb39ec907e8ca62cdd24b62a63ca49a30fe465798a360741fde58437a23", "name": "skip-ta", "script": "#!/bin/bash\n\nif [ -z \"${INPUT}\" ]; then\n mkdir -p /var/workdir/source\n mkdir -p /var/workdir/cachi2\n echo \"true\" \u003e/var/workdir/source/.skip-trusted-artifacts\n echo \"true\" \u003e/var/workdir/cachi2/.skip-trusted-artifacts\n echo -n \"${SOURCE_ARTIFACT}\" \u003e\"/tekton/results/SOURCE_ARTIFACT\"\n echo -n \"\" \u003e\"/tekton/results/CACHI2_ARTIFACT\"\nfi\n" }, { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:56237a5d5b75f6c1ec9950ad6441484564bfa403c89e812e33019264fe182b25=/var/workdir/source" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "use-trusted-artifact" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "debug" }, { "name": "KBC_PD_INPUT" }, { "name": "KBC_PD_SOURCE_DIR", "value": "/var/workdir/source" }, { "name": "KBC_PD_OUTPUT_DIR", "value": "/var/workdir/cachi2/output" }, { "name": "KBC_PD_SBOM_FORMAT", "value": "spdx" }, { "name": "KBC_PD_MODE", "value": "strict" }, { "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT", "value": "/cachi2/output" }, { "name": "KBC_PD_ENV_FILES", "value": "/var/workdir/cachi2/cachi2.env /var/workdir/cachi2/prefetch.env /var/workdir/cachi2/prefetch-env.json" }, { "name": "KBC_PD_GIT_AUTH_DIRECTORY", "value": "/workspace/git-basic-auth" }, { "name": "WORKSPACE_NETRC_PATH" }, { "name": "CONFIG_FILE_CONTENT" }, { "name": "KBC_PD_ENABLE_PACKAGE_REGISTRY_PROXY", "value": "true" } ], "image": "quay.io/konflux-ci/hermeto:0.51.0@sha256:4899755ffd1574547102a58469aea916822c7fd7825cbec8e477e1b57668a6d7", "name": "prefetch-dependencies", "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nSERVICE_CA_BUNDLE_PATH=/mnt/service-ca/ca-bundle.crt\nUPDATE_CA_TRUST=false\n\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n echo \"Using mounted CA bundle: $CA_BUNDLE_PATH\"\n cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n UPDATE_CA_TRUST=true\nfi\n\nif [ -f \"$SERVICE_CA_BUNDLE_PATH\" ]; then\n echo \"Using mounted service CA bundle: $SERVICE_CA_BUNDLE_PATH\"\n cp -vf \"$SERVICE_CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/service-ca.crt\n UPDATE_CA_TRUST=true\nfi\n\nif [ \"$UPDATE_CA_TRUST\" = \"true\" ]; then\n update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n export KBC_PD_RHSM_ORG=/activation-key/org\n export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n echo \"${CONFIG_FILE_CONTENT}\" \u003e/mnt/config/config.yaml\n export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n", "volumeMounts": [ { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/mnt/config", "name": "config" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/service-ca", "name": "service-ca", "readOnly": true } ] }, { "args": [ "create", "--store", "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c.prefetch", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source", "/tekton/results/CACHI2_ARTIFACT=/var/workdir/cachi2" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "6h" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:339f1a641a46e2a20b5c1aa5d1323c702812d012a1fae475ab27ae795554e523", "name": "create-trusted-artifact" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "emptyDir": {}, "name": "config" }, { "configMap": { "items": [ { "key": "service-ca.crt", "path": "ca-bundle.crt" } ], "name": "openshift-service-ca.crt", "optional": true }, "name": "service-ca" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n", "name": "git-basic-auth", "optional": true }, { "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n", "name": "netrc", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=726ac6730c64bbf5a897e6018d22fa511feb646c", "build.appstudio.redhat.com/commit_sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "build.appstudio.redhat.com/pull_request_number": "17935", "build.appstudio.redhat.com/target_branch": "base-jqeskk", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-jqeskk", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343013006", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gkzwzl", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-umju-on-pull-request-fdxtg", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-jqeskk\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-umju-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17935", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-umju", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-umju", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/356257ba-6777-460b-bb97-7aa67bd2b5c6/records/40eb5977-2afb-4834-937b-0e793c874b52", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"726ac6730c64bbf5a897e6018d22fa511feb646c\",\"eventType\":\"pull_request\",\"pull_request-id\":17935}", "results.tekton.dev/result": "build-e2e-tkrv/results/356257ba-6777-460b-bb97-7aa67bd2b5c6", "results.tekton.dev/stored": "true", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-b6b0985f4450c2d8c0ca8a3405879fe9-3a63ebc24a65d78f-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-umju" }, "creationTimestamp": "2026-05-11T11:34:17Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-umju", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343013006", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-umju-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17935", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-umju-on-pull-request-fdxtg", "tekton.dev/pipelineRun": "test-comp-umju-on-pull-request-fdxtg", "tekton.dev/pipelineRunUID": "356257ba-6777-460b-bb97-7aa67bd2b5c6", "tekton.dev/pipelineTask": "rpms-signature-scan", "test.appstudio.openshift.io/pr-group-sha": "98b93584a705e99e4d5b22287ceb032d175a28eb7be23d448a2d5fccc04ea5" }, "name": "test-comp-umju-on-pull-request-fdxtg-rpms-signature-scan", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-umju-on-pull-request-fdxtg", "uid": "356257ba-6777-460b-bb97-7aa67bd2b5c6" } ], "resourceVersion": "71577", "uid": "40eb5977-2afb-4834-937b-0e793c874b52" }, "spec": { "params": [ { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c" }, { "name": "image-digest", "value": "sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-umju", "taskRef": { "params": [ { "name": "name", "value": "rpms-signature-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:cfdb76c67f27bc498132431f5a24fbc17dac1981d6f6e3da5cf5964ac5abdd20" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:34:34Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:34:34Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-umju-on-pull-request-fdxtg-rpms-signature-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "cfdb76c67f27bc498132431f5a24fbc17dac1981d6f6e3da5cf5964ac5abdd20" }, "entryPoint": "rpms-signature-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c\", \"digests\": [\"sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\"]}}\n" }, { "name": "RPMS_DATA", "type": "string", "value": "{\"keys\": {\"unsigned\": 0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:34:32+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-b6b0985f4450c2d8c0ca8a3405879fe9-3a63ebc24a65d78f-01" }, "startTime": "2026-05-11T11:34:17Z", "steps": [ { "container": "step-rpms-signature-scan", "imageID": "quay.io/konflux-ci/tools@sha256:4bb1feaad4cb4735f8a5387e32691dfc1fe6097d28d56c23895866f88b211e28", "name": "rpms-signature-scan", "provenance": {}, "terminated": { "containerID": "cri-o://b223e7147f67faad42ac98975a013a79cb021944428bec902fb39bc2c591584c", "exitCode": 0, "finishedAt": "2026-05-11T11:34:32Z", "reason": "Completed", "startedAt": "2026-05-11T11:34:22Z" }, "terminationReason": "Completed" }, { "container": "step-output-results", "imageID": "quay.io/konflux-ci/konflux-test@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e", "name": "output-results", "provenance": {}, "terminated": { "containerID": "cri-o://6d33e76b60defc4a6f4d9b948228bd6a5a924f8b8a7fd0f1043700d98b3d290e", "exitCode": 0, "finishedAt": "2026-05-11T11:34:33Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c\\\", \\\"digests\\\": [\\\"sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:34:32+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:34:32Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans RPMs in an image and provide information about RPMs signatures.", "params": [ { "description": "Image URL", "name": "image-url", "type": "string" }, { "description": "Image digest to scan", "name": "image-digest", "type": "string" }, { "default": "/tmp", "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n", "name": "workdir", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Information about signed and unsigned RPMs", "name": "RPMS_DATA", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "200m", "memory": "256Mi" }, "requests": { "cpu": "200m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c" }, { "name": "IMAGE_DIGEST", "value": "sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2" }, { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/tools@sha256:b78a949c4a986724ae8e768ca315fc35bae5e0553de5cd2edd468d6a7d4b7e0f", "name": "rpms-signature-scan", "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n --image-url \"${IMAGE_URL}\" \\\n --image-digest \"${IMAGE_DIGEST}\" \\\n --workdir \"${WORKDIR}\" \\\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "50m", "memory": "32Mi" }, "requests": { "cpu": "50m", "memory": "32Mi" } }, "env": [ { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.53@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e", "name": "output-results", "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" } ] } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=726ac6730c64bbf5a897e6018d22fa511feb646c", "build.appstudio.redhat.com/commit_sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "build.appstudio.redhat.com/pull_request_number": "17935", "build.appstudio.redhat.com/target_branch": "base-jqeskk", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-jqeskk", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343013006", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gkzwzl", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-umju-on-pull-request-fdxtg", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-jqeskk\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-umju-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17935", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-umju", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-umju", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/356257ba-6777-460b-bb97-7aa67bd2b5c6/records/3b363359-f60d-43aa-9df7-6ce6ef7d4ce2", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"726ac6730c64bbf5a897e6018d22fa511feb646c\",\"eventType\":\"pull_request\",\"pull_request-id\":17935}", "results.tekton.dev/result": "build-e2e-tkrv/results/356257ba-6777-460b-bb97-7aa67bd2b5c6", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-b6b0985f4450c2d8c0ca8a3405879fe9-c8b62a872cb44922-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-umju" }, "creationTimestamp": "2026-05-11T11:34:17Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-umju", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343013006", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-umju-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17935", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-umju-on-pull-request-fdxtg", "tekton.dev/pipelineRun": "test-comp-umju-on-pull-request-fdxtg", "tekton.dev/pipelineRunUID": "356257ba-6777-460b-bb97-7aa67bd2b5c6", "tekton.dev/pipelineTask": "sast-shell-check", "tekton.dev/task": "sast-shell-check-oci-ta-min", "test.appstudio.openshift.io/pr-group-sha": "98b93584a705e99e4d5b22287ceb032d175a28eb7be23d448a2d5fccc04ea5" }, "name": "test-comp-umju-on-pull-request-fdxtg-sast-shell-check", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-umju-on-pull-request-fdxtg", "uid": "356257ba-6777-460b-bb97-7aa67bd2b5c6" } ], "resourceVersion": "71600", "uid": "3b363359-f60d-43aa-9df7-6ce6ef7d4ce2" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:56237a5d5b75f6c1ec9950ad6441484564bfa403c89e812e33019264fe182b25" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-umju", "taskRef": { "params": [ { "name": "name", "value": "sast-shell-check-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min:0.1@sha256:ecfae10944b45b91988ddc6311c7232bf2c98ba73c5fc6261861ecfd33434db0" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:34:35Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:34:35Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-umju-on-pull-request-fdxtg-sast-shell-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "ecfae10944b45b91988ddc6311c7232bf2c98ba73c5fc6261861ecfd33434db0" }, "entryPoint": "sast-shell-check-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:34:32+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-b6b0985f4450c2d8c0ca8a3405879fe9-c8b62a872cb44922-01" }, "startTime": "2026-05-11T11:34:17Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:0cf6c1640011bd02c158e2c4fe9f8c4656b9aa751c08fc879d0a99bfb87d0789", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://b2862e05036e4cfd3f25f982cecd3de5fd14352ffe81015cb4f9fd74d636464a", "exitCode": 0, "finishedAt": "2026-05-11T11:34:22Z", "reason": "Completed", "startedAt": "2026-05-11T11:34:22Z" }, "terminationReason": "Completed" }, { "container": "step-sast-shell-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "sast-shell-check", "provenance": {}, "terminated": { "containerID": "cri-o://21960587f8a59e2dcb8807a20f8bd38adddfb8a514209fc5a1f89468fe4f8889", "exitCode": 0, "finishedAt": "2026-05-11T11:34:32Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:34:32+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:34:22Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:6504e165b4e1411ca55069091a989fd27722a64ee0e3ec9fa7be5cf31d8b595f", "name": "upload", "provenance": {}, "terminated": { "containerID": "cri-o://cc721a705e52e11304d054a679a3d95f620f3aa5ccfc215731ec95c5f67c08c9", "exitCode": 0, "finishedAt": "2026-05-11T11:34:33Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:34:32+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:34:32Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "true", "description": "Whether to include important findings only", "name": "IMP_FINDINGS_ONLY", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Image digest to report findings for.", "name": "image-digest", "type": "string" }, { "default": "", "description": "Image URL.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:56237a5d5b75f6c1ec9950ad6441484564bfa403c89e812e33019264fe182b25=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "128m", "memory": "256Mi" }, "requests": { "cpu": "128m", "memory": "256Mi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "IMP_FINDINGS_ONLY", "value": "true" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-shell-check", "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/var/workdir/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c\"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n resolved_path=$(realpath -m \"$potential_path\")\n\n # ensure resolved path is still within SOURCE_CODE_DIR\n if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n ALL_TARGETS+=(\"$resolved_path\")\n else\n echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n exit 1\n fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n read -r quota period \u003c/sys/fs/cgroup/cpu.max\n if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n export SC_JOBS=$(((quota + period - 1) / period))\n echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n --mode=json\n --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n # predefined list of shellcheck important findings\n CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n CSGREP_OPTS+=(\n --event=\"$CSGREP_EVENT_FILTER\"\n )\nelse\n CSGREP_OPTS+=(\n --event=\"error|warning\"\n )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e\"$OUTPUT_FILE\"; then\n echo \"Error occurred while running 'run-shellcheck.sh'\"\n note=\"Task sast-shell-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e\"${OUTPUT_FILE}.filtered\" 2\u003e\"${OUTPUT_FILE}.error\"\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n else\n mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003eshellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check-oci-ta-min\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c" }, { "name": "IMAGE_DIGEST", "value": "sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n echo 'No image-url or image-digest param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n # Determine the media type based on the file extension\n if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n MEDIA_TYPE=\"application/json\"\n else\n MEDIA_TYPE=\"application/sarif+json\"\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"$IMAGE_URL\" \u003e\"$HOME/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"; then\n echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n exit 1\n fi\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=726ac6730c64bbf5a897e6018d22fa511feb646c", "build.appstudio.redhat.com/commit_sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "build.appstudio.redhat.com/pull_request_number": "17935", "build.appstudio.redhat.com/target_branch": "base-jqeskk", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-jqeskk", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343013006", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gkzwzl", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-umju-on-pull-request-fdxtg", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-jqeskk\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-umju-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17935", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-umju", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-umju", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/356257ba-6777-460b-bb97-7aa67bd2b5c6/records/3f7089ba-5a2f-49b8-b587-a65f80999563", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"726ac6730c64bbf5a897e6018d22fa511feb646c\",\"eventType\":\"pull_request\",\"pull_request-id\":17935}", "results.tekton.dev/result": "build-e2e-tkrv/results/356257ba-6777-460b-bb97-7aa67bd2b5c6", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-b6b0985f4450c2d8c0ca8a3405879fe9-8c15ffe0e22b5408-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-umju" }, "creationTimestamp": "2026-05-11T11:34:17Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-umju", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343013006", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-umju-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17935", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-umju-on-pull-request-fdxtg", "tekton.dev/pipelineRun": "test-comp-umju-on-pull-request-fdxtg", "tekton.dev/pipelineRunUID": "356257ba-6777-460b-bb97-7aa67bd2b5c6", "tekton.dev/pipelineTask": "sast-unicode-check", "tekton.dev/task": "sast-unicode-check-oci-ta-min", "test.appstudio.openshift.io/pr-group-sha": "98b93584a705e99e4d5b22287ceb032d175a28eb7be23d448a2d5fccc04ea5" }, "name": "test-comp-umju-on-pull-request-fdxtg-sast-unicode-check", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-umju-on-pull-request-fdxtg", "uid": "356257ba-6777-460b-bb97-7aa67bd2b5c6" } ], "resourceVersion": "71449", "uid": "3f7089ba-5a2f-49b8-b587-a65f80999563" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:56237a5d5b75f6c1ec9950ad6441484564bfa403c89e812e33019264fe182b25" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-umju", "taskRef": { "params": [ { "name": "name", "value": "sast-unicode-check-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min:0.4@sha256:96badf0b06d83fc1e7cf50048f94091e257819ee537f063830541f9c97295200" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:34:27Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:34:27Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-umju-on-pull-request-fdxtg-sast-unicode-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "96badf0b06d83fc1e7cf50048f94091e257819ee537f063830541f9c97295200" }, "entryPoint": "sast-unicode-check-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:34:25+00:00\",\"note\":\"Task sast-unicode-check-oci-ta-min success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-b6b0985f4450c2d8c0ca8a3405879fe9-8c15ffe0e22b5408-01" }, "startTime": "2026-05-11T11:34:17Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:0cf6c1640011bd02c158e2c4fe9f8c4656b9aa751c08fc879d0a99bfb87d0789", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "cri-o://39790c09349e72da9ecb98bea2bc32354764e266b0d7ab276d6705be309ba07b", "exitCode": 0, "finishedAt": "2026-05-11T11:34:25Z", "reason": "Completed", "startedAt": "2026-05-11T11:34:24Z" }, "terminationReason": "Completed" }, { "container": "step-sast-unicode-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "sast-unicode-check", "provenance": {}, "terminated": { "containerID": "cri-o://57282bc94d4034f9b71621e6ead92c728667f45fbe06747b18c2676b56b8e8b0", "exitCode": 0, "finishedAt": "2026-05-11T11:34:26Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:34:25+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta-min success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:34:24Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:6504e165b4e1411ca55069091a989fd27722a64ee0e3ec9fa7be5cf31d8b595f", "name": "upload", "provenance": {}, "terminated": { "containerID": "cri-o://acec201bfa86478d4ee7197a10fe30998d3395bd3473be61ec5aea4875327c94", "exitCode": 0, "finishedAt": "2026-05-11T11:34:27Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:34:25+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta-min success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:34:26Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans source code for non-printable unicode characters in all text files.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "-p bidi -v -d -t", "description": "arguments for find-unicode-control command.", "name": "FIND_UNICODE_CONTROL_ARGS", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "description": "Image digest used for ORAS upload.", "name": "image-digest", "type": "string" }, { "description": "Image URL used for ORAS upload.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju@sha256:56237a5d5b75f6c1ec9950ad6441484564bfa403c89e812e33019264fe182b25=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "128m", "memory": "256Mi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "FIND_UNICODE_CONTROL_ARGS", "value": "-p bidi -v -d -t" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_CODE_DIR", "value": "/var/workdir" }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-unicode-check", "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nOLD_IFS=\"$IFS\"\nIFS=\",\"\nfor d in $TARGET_DIRS; do\n ALL_TARGETS+=(\"${SOURCE_CODE_DIR}/source/${d}\")\ndone\nIFS=\"$OLD_IFS\"\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${ALL_TARGETS[@]}\" \\\n \u003eraw_sast_unicode_check_out.txt \\\n 2\u003eraw_sast_unicode_check_out.log ||\n FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n echo \"Failed to run find-unicode-control command\" \u003e\u00262\n cat raw_sast_unicode_check_out.log\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n --mode=json\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"${SCAN_PROP}\"\n --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003eprocessed_sast_unicode_check_out.json 2\u003eprocessed_sast_unicode_check_out.err; then\n echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n cat processed_sast_unicode_check_out.err\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # Build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n # Append --record-excluded option if RECORD_EXCLUDED is true\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003esast_unicode_check_out.json 2\u003esast_unicode_check_out.error\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n else\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003esast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n note=\"Task sast-unicode-check-oci-ta-min success: No finding was detected\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s sast_unicode_check_out.sarif ]]; then\n note=\"Task sast-unicode-check-oci-ta-min success: Some findings were detected, but filtered by known false positive\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n echo \"sast-unicode-check test failed because of the following issues:\"\n cat sast_unicode_check_out.json\n TEST_OUTPUT=\n parse_test_output \"sast-unicode-check-oci-ta-min\" sarif sast_unicode_check_out.sarif || true\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c" }, { "name": "IMAGE_DIGEST", "value": "sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n echo 'No image-url param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n MEDIA_TYPE=application/json\n else\n MEDIA_TYPE=application/sarif+json\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"${IMAGE_URL}\" \u003e\"${HOME}/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=726ac6730c64bbf5a897e6018d22fa511feb646c", "build.appstudio.redhat.com/commit_sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "build.appstudio.redhat.com/pull_request_number": "17935", "build.appstudio.redhat.com/target_branch": "base-jqeskk", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-jqeskk", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343013006", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gkzwzl", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-comp-umju-on-pull-request-fdxtg", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-jqeskk\"", "pipelinesascode.tekton.dev/original-prname": "test-comp-umju-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17935", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-comp-umju", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-umju", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/356257ba-6777-460b-bb97-7aa67bd2b5c6/records/8fcc9de0-daf7-40d2-9ba4-61724fdda647", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"726ac6730c64bbf5a897e6018d22fa511feb646c\",\"eventType\":\"pull_request\",\"pull_request-id\":17935}", "results.tekton.dev/result": "build-e2e-tkrv/results/356257ba-6777-460b-bb97-7aa67bd2b5c6", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-b6b0985f4450c2d8c0ca8a3405879fe9-52106d683f4bc3d3-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-comp-umju" }, "creationTimestamp": "2026-05-11T11:34:17Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-comp-umju", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343013006", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-comp-umju-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17935", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "726ac6730c64bbf5a897e6018d22fa511feb646c", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-comp-umju-on-pull-request-fdxtg", "tekton.dev/pipelineRun": "test-comp-umju-on-pull-request-fdxtg", "tekton.dev/pipelineRunUID": "356257ba-6777-460b-bb97-7aa67bd2b5c6", "tekton.dev/pipelineTask": "tpa-scan", "tekton.dev/task": "tpa-scan", "test.appstudio.openshift.io/pr-group-sha": "98b93584a705e99e4d5b22287ceb032d175a28eb7be23d448a2d5fccc04ea5" }, "name": "test-comp-umju-on-pull-request-fdxtg-tpa-scan", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-comp-umju-on-pull-request-fdxtg", "uid": "356257ba-6777-460b-bb97-7aa67bd2b5c6" } ], "resourceVersion": "71524", "uid": "8fcc9de0-daf7-40d2-9ba4-61724fdda647" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-comp-umju", "taskRef": { "params": [ { "name": "name", "value": "tpa-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan:0.1@sha256:68b6e188f742da92af9c40a794fd021a65d49b419d1e36096277b2d9ebbe1afc" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:34:31Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:34:31Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-comp-umju-on-pull-request-fdxtg-tpa-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "68b6e188f742da92af9c40a794fd021a65d49b419d1e36096277b2d9ebbe1afc" }, "entryPoint": "tpa-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c\", \"digests\": [\"sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\"]}}\n" }, { "name": "REPORTS", "type": "string", "value": "{\"sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\":\"sha256:de1e90163b68fd6b6de0e57701813e04bf51a084ac97f264d1638d297c5aed85\"}\n" }, { "name": "SCAN_OUTPUT", "type": "string", "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":3,\"medium\":1,\"low\":0,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-11T11:34:30+00:00\",\"note\":\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "spanContext": { "traceparent": "00-b6b0985f4450c2d8c0ca8a3405879fe9-52106d683f4bc3d3-01" }, "startTime": "2026-05-11T11:34:17Z", "steps": [ { "container": "step-get-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "get-vulnerabilities", "provenance": {}, "terminated": { "containerID": "cri-o://ae04df94c05e1d7c231717fc5188a58bf09ea9fb3dbf511bdae118f857fdd64e", "exitCode": 0, "finishedAt": "2026-05-11T11:34:25Z", "reason": "Completed", "startedAt": "2026-05-11T11:34:23Z" }, "terminationReason": "Completed" }, { "container": "step-oci-attach-report", "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "provenance": {}, "terminated": { "containerID": "cri-o://a58d8ece3cbe616183e704fe73efc95b17545c18f4951f8fbeabad0d1f89725f", "exitCode": 0, "finishedAt": "2026-05-11T11:34:28Z", "reason": "Completed", "startedAt": "2026-05-11T11:34:26Z" }, "terminationReason": "Completed" }, { "container": "step-conftest-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "conftest-vulnerabilities", "provenance": {}, "terminated": { "containerID": "cri-o://9d684fe91c6fc4db485bb5799f5d46dea69700d915de1069cd1db80b8a853225", "exitCode": 0, "finishedAt": "2026-05-11T11:34:30Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c\\\", \\\"digests\\\": [\\\"sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2\\\":\\\"sha256:de1e90163b68fd6b6de0e57701813e04bf51a084ac97f264d1638d297c5aed85\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":3,\\\"medium\\\":1,\\\"low\\\":0,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-11T11:34:30+00:00\\\",\\\"note\\\":\\\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:34:29Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans container images for vulnerabilities using the TPA vulnerability scanner, by comparing the components of container image against the vulnerability databases.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "The platform which will be scanned by this task.", "name": "image-platform", "type": "string" }, { "default": "https://exhort.stage.devshift.net/api/v5/analysis", "description": "The url of the TPA instance which will be used for scanning.", "name": "tpa-url", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-oci-attach-report", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "TPA scan result.", "name": "SCAN_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" }, { "description": "Mapping of image digests to report digests", "name": "REPORTS", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "computeResources": { "limits": { "cpu": "800m", "memory": "2Gi" }, "requests": { "cpu": "800m", "memory": "2Gi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c" }, { "name": "IMAGE_DIGEST", "value": "sha256:ca17215f111ca08c32428c0669efaff8753b25eafd1290a8ca7d97a2567642e2" }, { "name": "IMAGE_PLATFORM" }, { "name": "TPA_URL", "value": "https://exhort.stage.devshift.net/api/v5/analysis" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "imagePullPolicy": "Always", "name": "get-vulnerabilities", "script": "#!/usr/bin/env bash\n\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\necho \"Inspecting raw image manifest $imageanddigest.\"\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\necho \"Selecting auth\"\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${imageanddigest}\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n done\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task tpa-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n\ntpa_scan() {\n local sbom_file=${1}\n local arch=${2}\n local sbom_format\n\n sbom_format=$(jq -r 'if .bomFormat == \"CycloneDX\" then \"cyclonedx\" else \"spdx\" end' \u003c \"${sbom_file}\")\n retry curl -f --show-error -L -X POST -T \"${sbom_file}\" -H \"Content-Type:application/vnd.${sbom_format}+json\" \"${TPA_URL}\" | tee \"tpa-report-${arch}.json\";\n}\n\nrun_tpa_on_arch() {\n local arch=\"$1\"\n local sha_file=\"image-manifest-${arch}.sha\"\n local sbom_file_path=\"/tmp/sbom-${arch}.json\"\n local arch_sha=\"\"\n\n if [ -e \"${sha_file}\" ]; then\n arch_sha=$(\u003c\"${sha_file}\")\n arch_imageanddigest=$(echo -n \"${imagewithouttag}@${arch_sha}\")\n else\n echo \"Couldn't find the SHA file for the requested architecture.\"\n exit 1\n fi\n\n echo \"Selecting auth\"\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${arch_imageanddigest}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n # Attempt to download the SBOM file via cosign\n\n if ! retry cosign download sbom \"${arch_imageanddigest}\" \u003e \"${sbom_file_path}\"; then\n echo \"Unable to download SBOM for the architecture ${arch}.\"\n exit 1\n fi\n\n if [ -e \"${sbom_file_path}\" ]; then\n local arch_sha\n arch_sha=$(\u003c\"$sha_file\")\n\n echo \"Running TPA scan on $arch image manifest...\"\n tpa_scan \"${sbom_file_path}\" \"$arch\" || true\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n else\n echo \"Couldn't find the SBOM file for the requested ${arch} architecture.\"\n exit 1\n fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run the tpa scan on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n # Validate against supported arch list. If it's not a known arch, fallback to amd64\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 1\n ;;\n esac\n\n run_tpa_on_arch \"$arch\"\n\n# If no platform is specified, run TPA scan on all available image manifests\nelse\n for sha_file in image-manifest-*.sha; do\n if [ -e \"$sha_file\" ]; then\n arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n run_tpa_on_arch \"$arch\"\n fi\n done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_OCI_ATTACH_REPORT", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-tkrv/test-comp-umju:on-pr-726ac6730c64bbf5a897e6018d22fa511feb646c" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n echo 'OCI attach report skipped by parameter.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nif ! compgen -G \"tpa-report-*.json\" \u003e /dev/null; then\n echo 'No TPA reports generated. Skipping upload.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n report_file=\"$1\"\n arch=\"${report_file/*-}\"\n echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.tpa-report+json'\n\nreports_json=\"{}\"\nfor f in tpa-report-*.json; do\n digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n image_ref=\"${repository}@${digest}\"\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${image_ref}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n echo \"Attaching $f to ${image_ref}\"\n if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n \"/tmp/auth/config.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n then\n echo \"Failed to attach ${f} to ${image_ref}\"\n exit 1\n fi\n # shellcheck disable=SC2016\n reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/redhat-user-workloads/rhtap-integration-tenant/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "conftest-vulnerabilities", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\ntpa_result_files=$(ls /tekton/home/tpa-report-*.json 2\u003e/dev/null || true)\nif [ -z \"$tpa_result_files\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: No tpa-report files found in /tekton/home.\"\n exit 1\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $tpa_result_files; do\n file_suffix=$(basename \"$file\" | sed 's/tpa-report-//;s/.json//')\n if [ ! -s \"$file\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n else\n /usr/bin/conftest test --no-fail $file \\\n --policy /project/rhtpa/vulnerabilities-check.rego --namespace required_checks \\\n --output=json | tee /tekton/home/tpa-vulnerabilities-\"${file_suffix}\".json || true\n fi\n\n #check for missing \"tpa-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n if [ ! -f \"/tekton/home/tpa-vulnerabilities-$file_suffix.json\" ]; then\n missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/tpa-vulnerabilities-$file_suffix.json\"\n fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n note=\"Task tpa-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/tpa-vulnerabilities-*.json; do\n result=$(jq -rce \\\n '{\n vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n },\n unpatched_vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n }\n }' \"$file\")\n\n scan_result=$(jq -s -rce \\\n '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=889031c5abded4f4199c49abb2f38ca0b2457cf5", "build.appstudio.redhat.com/commit_sha": "889031c5abded4f4199c49abb2f38ca0b2457cf5", "build.appstudio.redhat.com/pull_request_number": "17937", "build.appstudio.redhat.com/target_branch": "base-fnrzpb", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-edd490ca6d", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-fnrzpb", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343085996", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-fvhjrf", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-symlink-comp-dqdq-on-pull-request-s9wsf", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-fnrzpb\"", "pipelinesascode.tekton.dev/original-prname": "test-symlink-comp-dqdq-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17937", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "889031c5abded4f4199c49abb2f38ca0b2457cf5", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-symlink-comp-dqdq", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/889031c5abded4f4199c49abb2f38ca0b2457cf5", "pipelinesascode.tekton.dev/source-branch": "konflux-test-symlink-comp-dqdq", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/23e96fd2-9215-4fd1-9cd9-7b12c9cb6293/records/5ad07c49-e266-45ab-a41b-1cabf01135a0", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"889031c5abded4f4199c49abb2f38ca0b2457cf5\",\"eventType\":\"pull_request\",\"pull_request-id\":17937}", "results.tekton.dev/result": "build-e2e-tkrv/results/23e96fd2-9215-4fd1-9cd9-7b12c9cb6293", "results.tekton.dev/stored": "true", "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-95b3517d890906fdefb58af3ab20159f-e8354254651d5d50-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-symlink-comp-dqdq" }, "creationTimestamp": "2026-05-11T11:28:08Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-symlink-comp-dqdq", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343085996", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-symlink-comp-dqdq-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17937", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "889031c5abded4f4199c49abb2f38ca0b2457cf5", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-symlink-comp-dqdq-on-pull-request-s9wsf", "tekton.dev/pipelineRun": "test-symlink-comp-dqdq-on-pull-request-s9wsf", "tekton.dev/pipelineRunUID": "23e96fd2-9215-4fd1-9cd9-7b12c9cb6293", "tekton.dev/pipelineTask": "clone-repository", "tekton.dev/task": "git-clone", "test.appstudio.openshift.io/pr-group-sha": "d75c8f520b8c9a8c36285e6dced6c04c983d287eae3103276b1649e5232067" }, "name": "test-symlink-comp-dqdq-on-pull-request-s9wsf-clone-repository", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-symlink-comp-dqdq-on-pull-request-s9wsf", "uid": "23e96fd2-9215-4fd1-9cd9-7b12c9cb6293" } ], "resourceVersion": "60444", "uid": "5ad07c49-e266-45ab-a41b-1cabf01135a0" }, "spec": { "params": [ { "name": "url", "value": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic" }, { "name": "revision", "value": "889031c5abded4f4199c49abb2f38ca0b2457cf5" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-symlink-comp-dqdq", "taskRef": { "params": [ { "name": "name", "value": "git-clone" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "output", "persistentVolumeClaim": { "claimName": "pvc-9537a3376d" } }, { "name": "basic-auth", "secret": { "secretName": "pac-gitauth-fvhjrf" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:28:20Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:28:20Z", "message": "\"step-symlink-check\" exited with code 1: Error", "reason": "Failed", "status": "False", "type": "Succeeded" } ], "podName": "test-symlink-comp-dqdq-on-p181770d8fd95642c0ba38dcab15a5a1a-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21" }, "entryPoint": "git-clone", "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone" } }, "results": [ { "name": "CHAINS-GIT_COMMIT", "type": "string", "value": "889031c5abded4f4199c49abb2f38ca0b2457cf5" }, { "name": "CHAINS-GIT_URL", "type": "string", "value": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic" }, { "name": "commit", "type": "string", "value": "889031c5abded4f4199c49abb2f38ca0b2457cf5" }, { "name": "commit-timestamp", "type": "string", "value": "1778498849" }, { "name": "short-commit", "type": "string", "value": "889031c" }, { "name": "url", "type": "string", "value": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic" } ], "spanContext": { "traceparent": "00-95b3517d890906fdefb58af3ab20159f-e8354254651d5d50-01" }, "startTime": "2026-05-11T11:28:08Z", "steps": [ { "container": "step-clone", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "provenance": {}, "terminated": { "containerID": "cri-o://acde01fbde6f0778fd414fddac40516ab4c017de36b21e8a4153faef4b0888e5", "exitCode": 0, "finishedAt": "2026-05-11T11:28:19Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"889031c5abded4f4199c49abb2f38ca0b2457cf5\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/devfile-sample-python-basic\",\"type\":1},{\"key\":\"commit\",\"value\":\"889031c5abded4f4199c49abb2f38ca0b2457cf5\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778498849\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"889031c\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/devfile-sample-python-basic\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:18Z" }, "terminationReason": "Completed" }, { "container": "step-symlink-check", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "provenance": {}, "terminated": { "containerID": "cri-o://d9a0d64ed033ff8f5c46f4cbec10f1a32296c5e3f707491d6b3718688cc5bf5b", "exitCode": 1, "finishedAt": "2026-05-11T11:28:19Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"889031c5abded4f4199c49abb2f38ca0b2457cf5\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/devfile-sample-python-basic\",\"type\":1},{\"key\":\"commit\",\"value\":\"889031c5abded4f4199c49abb2f38ca0b2457cf5\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1778498849\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"889031c\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/devfile-sample-python-basic\",\"type\":1}]", "reason": "Error", "startedAt": "2026-05-11T11:28:19Z" }, "terminationReason": "Error" } ], "taskSpec": { "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.", "params": [ { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "source", "description": "Subdirectory inside the `output` Workspace to clone the repo into.", "name": "subdirectory", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Clean out the contents of the destination directory if it already exists before cloning.", "name": "deleteExisting", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" }, { "default": "", "description": "Deprecated. Has no effect. Will be removed in the future.", "name": "gitInitImage", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" } ], "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "PARAM_URL", "value": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic" }, { "name": "PARAM_REVISION", "value": "889031c5abded4f4199c49abb2f38ca0b2457cf5" }, { "name": "PARAM_REFSPEC" }, { "name": "PARAM_SUBMODULES", "value": "true" }, { "name": "PARAM_SUBMODULE_PATHS" }, { "name": "PARAM_DEPTH", "value": "1" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "7" }, { "name": "PARAM_SSL_VERIFY", "value": "true" }, { "name": "PARAM_SUBDIRECTORY", "value": "source" }, { "name": "PARAM_DELETE_EXISTING", "value": "true" }, { "name": "PARAM_HTTP_PROXY" }, { "name": "PARAM_HTTPS_PROXY" }, { "name": "PARAM_NO_PROXY" }, { "name": "PARAM_VERBOSE", "value": "false" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES" }, { "name": "PARAM_USER_HOME", "value": "/tekton/home" }, { "name": "PARAM_FETCH_TAGS", "value": "false" }, { "name": "PARAM_GIT_INIT_IMAGE" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "false" }, { "name": "PARAM_TARGET_BRANCH", "value": "main" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL" }, { "name": "PARAM_MERGE_SOURCE_DEPTH" }, { "name": "WORKSPACE_OUTPUT_PATH", "value": "/workspace/output" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "false" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "true" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH", "value": "/workspace/basic-auth" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n # Delete any existing contents of the repo directory if it exists.\n #\n # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n # or the root of a mounted volume.\n if [ -d \"${CHECKOUT_DIR}\" ] ; then\n # Delete non-hidden files and directories\n rm -rf \"${CHECKOUT_DIR:?}\"/*\n # Delete files and directories starting with . but excluding ..\n rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n # Delete files and directories starting with .. plus any other character\n rm -rf \"${CHECKOUT_DIR}\"/..?*\n fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit 1\nfi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "true" }, { "name": "PARAM_SUBDIRECTORY", "value": "source" }, { "name": "WORKSPACE_OUTPUT_PATH", "value": "/workspace/output" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink\n do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ], "workspaces": [ { "description": "The git repo will be cloned onto the volume backing this Workspace.", "name": "output" }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true }, { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic?rev=889031c5abded4f4199c49abb2f38ca0b2457cf5", "build.appstudio.redhat.com/commit_sha": "889031c5abded4f4199c49abb2f38ca0b2457cf5", "build.appstudio.redhat.com/pull_request_number": "17937", "build.appstudio.redhat.com/target_branch": "base-fnrzpb", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "pipelinesascode.tekton.dev/branch": "base-fnrzpb", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343085996", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-fvhjrf", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "40773614", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-4296826724.46c4.p3.openshiftapps.com/k8s/ns/build-e2e-tkrv/tekton.dev~v1~PipelineRun/test-symlink-comp-dqdq-on-pull-request-s9wsf", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-fnrzpb\"", "pipelinesascode.tekton.dev/original-prname": "test-symlink-comp-dqdq-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17937", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sender": "rhtap-qe-app[bot]", "pipelinesascode.tekton.dev/sha": "889031c5abded4f4199c49abb2f38ca0b2457cf5", "pipelinesascode.tekton.dev/sha-title": "RHTAP-Qe-App update test-symlink-comp-dqdq", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic/commit/889031c5abded4f4199c49abb2f38ca0b2457cf5", "pipelinesascode.tekton.dev/source-branch": "konflux-test-symlink-comp-dqdq", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-tkrv/results/23e96fd2-9215-4fd1-9cd9-7b12c9cb6293/records/2c6ca421-5f1a-47ce-b60e-28442f0c0c5e", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-python-basic\",\"commit\":\"889031c5abded4f4199c49abb2f38ca0b2457cf5\",\"eventType\":\"pull_request\",\"pull_request-id\":17937}", "results.tekton.dev/result": "build-e2e-tkrv/results/23e96fd2-9215-4fd1-9cd9-7b12c9cb6293", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-95b3517d890906fdefb58af3ab20159f-a32ca4ef6a3846f8-01\"}", "test.appstudio.openshift.io/pr-group": "konflux-test-symlink-comp-dqdq" }, "creationTimestamp": "2026-05-11T11:27:42Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.43.0", "appstudio.openshift.io/application": "test-app-yyhs", "appstudio.openshift.io/component": "test-symlink-comp-dqdq", "kueue.x-k8s.io/priority-class": "konflux-pre-merge-build", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "75343085996", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "test-symlink-comp-dqdq-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "17937", "pipelinesascode.tekton.dev/repository": "test-comp-tysh", "pipelinesascode.tekton.dev/sha": "889031c5abded4f4199c49abb2f38ca0b2457cf5", "pipelinesascode.tekton.dev/state": "queued", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-python-basic", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "test-symlink-comp-dqdq-on-pull-request-s9wsf", "tekton.dev/pipelineRun": "test-symlink-comp-dqdq-on-pull-request-s9wsf", "tekton.dev/pipelineRunUID": "23e96fd2-9215-4fd1-9cd9-7b12c9cb6293", "tekton.dev/pipelineTask": "init", "tekton.dev/task": "init", "test.appstudio.openshift.io/pr-group-sha": "d75c8f520b8c9a8c36285e6dced6c04c983d287eae3103276b1649e5232067" }, "name": "test-symlink-comp-dqdq-on-pull-request-s9wsf-init", "namespace": "build-e2e-tkrv", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "test-symlink-comp-dqdq-on-pull-request-s9wsf", "uid": "23e96fd2-9215-4fd1-9cd9-7b12c9cb6293" } ], "resourceVersion": "59655", "uid": "2c6ca421-5f1a-47ce-b60e-28442f0c0c5e" }, "spec": { "params": [ { "name": "enable-cache-proxy", "value": "false" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "build-pipeline-test-symlink-comp-dqdq", "taskRef": { "params": [ { "name": "name", "value": "init" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:28:07Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:28:07Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "test-symlink-comp-dqdq-on-pull-request-s9wsf-init-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08" }, "entryPoint": "init", "uri": "quay.io/konflux-ci/tekton-catalog/task-init" } }, "results": [ { "name": "http-proxy", "type": "string", "value": "" }, { "name": "no-proxy", "type": "string", "value": "" } ], "spanContext": { "traceparent": "00-95b3517d890906fdefb58af3ab20159f-a32ca4ef6a3846f8-01" }, "startTime": "2026-05-11T11:27:42Z", "steps": [ { "container": "step-init", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "init", "provenance": {}, "terminated": { "containerID": "cri-o://fd817c8e44365568cb94efa823ac29a91e4a94f327a0349bc9a2c5b6cb98272a", "exitCode": 0, "finishedAt": "2026-05-11T11:28:07Z", "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:07Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.", "params": [ { "default": "false", "description": "Enable cache proxy configuration", "name": "enable-cache-proxy", "type": "string" } ], "results": [ { "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)", "name": "http-proxy", "type": "string" }, { "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)", "name": "no-proxy", "type": "string" } ], "steps": [ { "args": [ "--enable", "false" ], "command": [ "konflux-build-cli", "config", "cache-proxy" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" }, { "name": "DEFAULT_HTTP_PROXY", "value": "squid.caching.svc.cluster.local:3128" }, { "name": "DEFAULT_NO_PROXY", "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai" }, { "name": "HTTP_PROXY_RESULTS_PATH", "value": "/tekton/results/http-proxy" }, { "name": "NO_PROXY_RESULTS_PATH", "value": "/tekton/results/no-proxy" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "init" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "chains-e2e-tnts/results/70c121f4-752d-43cd-9101-4e791ce7186c/records/40d401c8-f402-4e6d-9f17-65dbdb48a3a0", "results.tekton.dev/result": "chains-e2e-tnts/results/70c121f4-752d-43cd-9101-4e791ce7186c", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-374933e4261537e61fc1f7b5fdbc4eac-78062a07913a8b82-01\"}" }, "creationTimestamp": "2026-05-11T11:29:12Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "app.kubernetes.io/version": "0.3", "kueue.x-k8s.io/priority-class": "konflux-default", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.openshift.io/runtime": "generic", "pipelines.openshift.io/strategy": "docker", "pipelines.openshift.io/used-by": "build-cloud", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "docker-build", "tekton.dev/pipelineRun": "buildah-demo-iogmdfcwum", "tekton.dev/pipelineRunUID": "70c121f4-752d-43cd-9101-4e791ce7186c", "tekton.dev/pipelineTask": "apply-tags", "tekton.dev/task": "apply-tags" }, "name": "buildah-demo-iogmdfcwum-apply-tags", "namespace": "chains-e2e-tnts", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "buildah-demo-iogmdfcwum", "uid": "70c121f4-752d-43cd-9101-4e791ce7186c" } ], "resourceVersion": "63763", "uid": "40d401c8-f402-4e6d-9f17-65dbdb48a3a0" }, "spec": { "params": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum" }, { "name": "IMAGE_DIGEST", "value": "sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "konflux-integration-runner", "taskRef": { "params": [ { "name": "name", "value": "apply-tags" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:a291081de7fb27f832c6fc3c4b078acf7e6162ca4c085db38b118ca87e8b5b66" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:29:41Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:29:41Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "buildah-demo-iogmdfcwum-apply-tags-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "a291081de7fb27f832c6fc3c4b078acf7e6162ca4c085db38b118ca87e8b5b66" }, "entryPoint": "apply-tags", "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags" } }, "spanContext": { "traceparent": "00-374933e4261537e61fc1f7b5fdbc4eac-78062a07913a8b82-01" }, "startTime": "2026-05-11T11:29:13Z", "steps": [ { "container": "step-apply-additional-tags", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "apply-additional-tags", "provenance": {}, "terminated": { "containerID": "cri-o://b7ecd896eaad53de4c70b742c3134812e4fa1b631b1b56c36608f0a282160205", "exitCode": 0, "finishedAt": "2026-05-11T11:29:40Z", "reason": "Completed", "startedAt": "2026-05-11T11:29:39Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Applies additional tags to the built image.", "params": [ { "description": "Image repository and tag reference of the the built image.", "name": "IMAGE_URL", "type": "string" }, { "description": "Image digest of the built image.", "name": "IMAGE_DIGEST", "type": "string" }, { "default": [], "description": "Additional tags that will be applied to the image in the registry.", "name": "ADDITIONAL_TAGS", "type": "array" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "info", "description": "Log level to use in the task. See golang logrus docs for available levels.", "name": "LOG_LEVEL", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "args": [ "--image-url", "quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum", "--digest", "sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0", "--tags", "--tags-from-image-label", "konflux.additional-tags" ], "command": [ "konflux-build-cli", "image", "apply-tags" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "apply-additional-tags" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-719fedd652", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "chains-e2e-tnts/results/70c121f4-752d-43cd-9101-4e791ce7186c/records/3d28a384-bd22-4b6a-b5c7-80ea2785a414", "results.tekton.dev/result": "chains-e2e-tnts/results/70c121f4-752d-43cd-9101-4e791ce7186c", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-374933e4261537e61fc1f7b5fdbc4eac-76ed2335fe96d546-01\"}" }, "creationTimestamp": "2026-05-11T11:26:56Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "app.kubernetes.io/version": "0.9.3", "build.appstudio.redhat.com/build_type": "docker", "kueue.x-k8s.io/priority-class": "konflux-default", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.openshift.io/runtime": "generic", "pipelines.openshift.io/strategy": "docker", "pipelines.openshift.io/used-by": "build-cloud", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "docker-build", "tekton.dev/pipelineRun": "buildah-demo-iogmdfcwum", "tekton.dev/pipelineRunUID": "70c121f4-752d-43cd-9101-4e791ce7186c", "tekton.dev/pipelineTask": "build-container", "tekton.dev/task": "buildah" }, "name": "buildah-demo-iogmdfcwum-build-container", "namespace": "chains-e2e-tnts", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "buildah-demo-iogmdfcwum", "uid": "70c121f4-752d-43cd-9101-4e791ce7186c" } ], "resourceVersion": "61603", "uid": "3d28a384-bd22-4b6a-b5c7-80ea2785a414" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum" }, { "name": "DOCKERFILE", "value": "Containerfile" }, { "name": "CONTEXT", "value": "." }, { "name": "HERMETIC", "value": "false" }, { "name": "PREFETCH_INPUT", "value": "" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "" }, { "name": "COMMIT_SHA", "value": "be3214825d8af1a44d1406df6233660e8372d26f" }, { "name": "BUILD_ARGS", "value": [] }, { "name": "BUILD_ARGS_FILE", "value": "" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SOURCE_URL", "value": "https://github.com/conforma/golden-container.git" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "HTTP_PROXY", "value": "" }, { "name": "NO_PROXY", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "konflux-integration-runner", "taskRef": { "params": [ { "name": "name", "value": "buildah" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:62f09c50d552eac57e17638c67e88b0982352a71975858c8ba262bcff293de06" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "source", "persistentVolumeClaim": { "claimName": "app-studio-default-workspace" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:28:55Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:28:55Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "buildah-demo-iogmdfcwum-build-container-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "62f09c50d552eac57e17638c67e88b0982352a71975858c8ba262bcff293de06" }, "entryPoint": "buildah", "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah" } }, "results": [ { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum@sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum" }, { "name": "SBOM_BLOB_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/test-images@sha256:168ea31525ffc455e2d4e7f90248d36ece674f0e6e24713b88fc9068d3e6e869" } ], "spanContext": { "traceparent": "00-374933e4261537e61fc1f7b5fdbc4eac-76ed2335fe96d546-01" }, "startTime": "2026-05-11T11:26:56Z", "steps": [ { "container": "step-build", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "build", "provenance": {}, "terminated": { "containerID": "cri-o://47670f8d5655fc9b6f93fd9a59593bcba1629f0d18672ff2cc43086e26d01c21", "exitCode": 0, "finishedAt": "2026-05-11T11:28:05Z", "reason": "Completed", "startedAt": "2026-05-11T11:27:31Z" }, "terminationReason": "Completed" }, { "container": "step-push", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "push", "provenance": {}, "terminated": { "containerID": "cri-o://e0099df3ebebf3610f5f36dad3e83ff3b0c3b46d9e33b818f0e85c3834b8dc02", "exitCode": 0, "finishedAt": "2026-05-11T11:28:13Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum@sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:05Z" }, "terminationReason": "Completed" }, { "container": "step-sbom-syft-generate", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "sbom-syft-generate", "provenance": {}, "terminated": { "containerID": "cri-o://bfcd924714510302b8055d7487833d1d765b956658e1d2e3f7c0df182dc31dc4", "exitCode": 0, "finishedAt": "2026-05-11T11:28:15Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum@sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:13Z" }, "terminationReason": "Completed" }, { "container": "step-prepare-sboms", "imageID": "quay.io/konflux-ci/mobster@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "provenance": {}, "terminated": { "containerID": "cri-o://325815160d15ed0b139ec902d021fbfd1236a7d8ff3ba4fcdbb4488e567ef1e2", "exitCode": 0, "finishedAt": "2026-05-11T11:28:30Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum@sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:15Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://03bed9b13770741d9aa85b835e0107e47301ba1e32224a2ddd23e7e787cd4455", "exitCode": 0, "finishedAt": "2026-05-11T11:28:54Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum@sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/test-images@sha256:168ea31525ffc455e2d4e7f90248d36ece674f0e6e24713b88fc9068d3e6e869\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:28:30Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.", "params": [ { "description": "Reference of the image buildah will produce.", "name": "IMAGE", "type": "string" }, { "default": "./Dockerfile", "description": "Path to the Dockerfile to build.", "name": "DOCKERFILE", "type": "string" }, { "default": ".", "description": "Path to the directory to use as context.", "name": "CONTEXT", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "default": "false", "description": "Determines if build will be executed without network access.", "name": "HERMETIC", "type": "string" }, { "default": "", "description": "In case it is not empty, the prefetched content should be made available to the build.", "name": "PREFETCH_INPUT", "type": "string" }, { "default": "", "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.", "name": "IMAGE_EXPIRES_AFTER", "type": "string" }, { "default": "", "description": "The image is built from this commit.", "name": "COMMIT_SHA", "type": "string" }, { "default": "repos.d", "description": "Path in the git repository in which yum repository files are stored", "name": "YUM_REPOS_D_SRC", "type": "string" }, { "default": "fetched.repos.d", "description": "Path in source workspace where dynamically-fetched repos are present", "name": "YUM_REPOS_D_FETCHED", "type": "string" }, { "default": "/etc/yum.repos.d", "description": "Target path on the container in which yum repository files should be made available", "name": "YUM_REPOS_D_TARGET", "type": "string" }, { "default": "", "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.", "name": "TARGET_STAGE", "type": "string" }, { "default": "etc-pki-entitlement", "description": "Name of secret which contains the entitlement certificates", "name": "ENTITLEMENT_SECRET", "type": "string" }, { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "default": "does-not-exist", "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET", "name": "ADDITIONAL_SECRET", "type": "string" }, { "default": [], "description": "Array of --build-arg values (\"arg=value\" strings)", "name": "BUILD_ARGS", "type": "array" }, { "default": [], "description": "Array of --env values (\"env=value\" strings)", "name": "ENV_VARS", "type": "array" }, { "default": "", "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file", "name": "BUILD_ARGS_FILE", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "true", "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection", "name": "ICM_KEEP_COMPAT_LOCATION", "type": "string" }, { "default": "", "description": "Comma separated list of extra capabilities to add when running 'buildah build'", "name": "ADD_CAPABILITIES", "type": "string" }, { "default": "false", "description": "Squash all new and previous layers added as a part of this build, as per --squash", "name": "SQUASH", "type": "string" }, { "default": "overlay", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "true", "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages", "name": "SKIP_UNUSED_STAGES", "type": "string" }, { "default": [], "description": "Additional key=value labels that should be applied to the image", "name": "LABELS", "type": "array" }, { "default": [], "description": "Additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS", "type": "array" }, { "default": "", "description": "Path to a file with additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS_FILE", "type": "string" }, { "default": "false", "description": "Whether to enable privileged mode, should be used only with remote VMs", "name": "PRIVILEGED_NESTED", "type": "string" }, { "default": "false", "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled", "name": "SKIP_SBOM_GENERATION", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.", "name": "SBOM_TYPE", "type": "string" }, { "default": "", "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection", "name": "SBOM_SYFT_SELECT_CATALOGERS", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.", "name": "SBOM_SOURCE_SCAN_ENABLED", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": [], "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings", "name": "ADDITIONAL_BASE_IMAGES", "type": "array" }, { "default": "", "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).", "name": "WORKINGDIR_MOUNT", "type": "string" }, { "default": "true", "description": "Determines if the image inherits the base image labels.", "name": "INHERIT_BASE_IMAGE_LABELS", "type": "string" }, { "default": "", "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.", "name": "HTTP_PROXY", "type": "string" }, { "default": "", "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.", "name": "NO_PROXY", "type": "string" }, { "default": "caching-ca-bundle", "description": "The name of the ConfigMap to read proxy CA bundle data from.", "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.", "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "", "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.", "name": "BUILD_TIMESTAMP", "type": "string" }, { "default": "", "description": "The image is built from this URL.", "name": "SOURCE_URL", "type": "string" }, { "default": "true", "description": "Determines if SBOM will be contextualized.", "name": "CONTEXTUALIZE_SBOM", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "false", "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.", "name": "OMIT_HISTORY", "type": "string" }, { "default": "", "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.", "name": "SOURCE_DATE_EPOCH", "type": "string" }, { "default": "false", "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.", "name": "REWRITE_TIMESTAMP", "type": "string" }, { "default": "false", "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.", "name": "SKIP_INJECTIONS", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "Image reference of the built image", "name": "IMAGE_REF", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "cpu": "1", "memory": "4Gi" } }, "env": [ { "name": "STORAGE_DRIVER", "value": "overlay" }, { "name": "HERMETIC", "value": "false" }, { "name": "SOURCE_CODE_DIR", "value": "source" }, { "name": "CONTEXT", "value": "." }, { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "IMAGE_EXPIRES_AFTER" }, { "name": "YUM_REPOS_D_SRC", "value": "repos.d" }, { "name": "YUM_REPOS_D_FETCHED", "value": "fetched.repos.d" }, { "name": "YUM_REPOS_D_TARGET", "value": "/etc/yum.repos.d" }, { "name": "TARGET_STAGE" }, { "name": "ENTITLEMENT_SECRET", "value": "etc-pki-entitlement" }, { "name": "ACTIVATION_KEY", "value": "activation-key" }, { "name": "ADDITIONAL_SECRET", "value": "does-not-exist" }, { "name": "BUILD_ARGS_FILE" }, { "name": "ADD_CAPABILITIES" }, { "name": "SQUASH", "value": "false" }, { "name": "SKIP_UNUSED_STAGES", "value": "true" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SKIP_SBOM_GENERATION", "value": "false" }, { "name": "SBOM_TYPE", "value": "spdx" }, { "name": "SBOM_SYFT_SELECT_CATALOGERS" }, { "name": "SBOM_SOURCE_SCAN_ENABLED", "value": "true" }, { "name": "ANNOTATIONS_FILE" }, { "name": "WORKINGDIR_MOUNT" }, { "name": "INHERIT_BASE_IMAGE_LABELS", "value": "true" }, { "name": "BUILD_TIMESTAMP" }, { "name": "CONTEXTUALIZE_SBOM", "value": "true" }, { "name": "SBOM_SKIP_VALIDATION", "value": "true" }, { "name": "SKIP_INJECTIONS", "value": "false" } ], "imagePullPolicy": "IfNotPresent", "volumeMounts": [ { "mountPath": "/shared", "name": "shared" } ] }, "steps": [ { "args": [ "--build-args", "--env", "--labels", "--annotations" ], "computeResources": { "limits": { "cpu": "4600m", "memory": "8Gi" }, "requests": { "cpu": "4600m", "memory": "8Gi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "COMMIT_SHA", "value": "be3214825d8af1a44d1406df6233660e8372d26f" }, { "name": "SOURCE_URL", "value": "https://github.com/conforma/golden-container.git" }, { "name": "DOCKERFILE", "value": "Containerfile" }, { "name": "BUILDAH_HTTP_PROXY" }, { "name": "BUILDAH_NO_PROXY" }, { "name": "ICM_KEEP_COMPAT_LOCATION", "value": "true" }, { "name": "BUILDAH_OMIT_HISTORY", "value": "false" }, { "name": "BUILDAH_SOURCE_DATE_EPOCH" }, { "name": "BUILDAH_REWRITE_TIMESTAMP", "value": "false" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "build", "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n fi\n fi\n}\n\nfunction unset_proxy {\n echo \"[$(date --utc -Ins)] Unsetting proxy\"\n unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n \"$source_dir_path\" | \"$source_dir_path/\"*)\n # path is valid, do nothing\n ;;\n *)\n echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n echo \"Source path: $source_dir_path\" \u003e\u00262\n echo \"Resolved path: $context_dir_path\" \u003e\u00262\n exit 1\n ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n # Instrumented builds (SAST) use this custom dockerfile step as their base\n dockerfile_path=\"$DOCKERFILE\"\nelse\n echo \"Cannot find Dockerfile $DOCKERFILE\"\n exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n while IFS= read -r line || [[ -n \"$line\" ]]; do\n # Skip empty lines and comments\n if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n ANNOTATIONS+=(\"--annotation\" \"$line\")\n fi\n done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --build-args)\n shift\n # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n ;;\n --env)\n shift\n # Collect env entries of the form KEY=value\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n ;;\n --labels)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n ;;\n --annotations)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--pull=never\")\n UNSHARE_ARGS+=(\"--net\")\n buildah_retries=3\n\n set_proxy\n\n for image in $BASE_IMAGES; do\n if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n then\n echo \"Failed to pull base image ${image}\"\n exit 1\n fi\n done\n\n unset_proxy\n\n echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n BUILDAH_ARGS+=(\"--cap-add=all\")\n BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n fi\n if [ -n \"$BUILD_TIMESTAMP\" ]; then\n echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n exit 1\n fi\n # but do set it so that we get all the labels/annotations associated with it\n BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n # Identify the current arch to filter the prefetched content\n PREFETCH_ARCH=\"$(uname -m)\"\n echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n echo \"Prefetched content will be made available\"\n\n cp -r \"/workspace/source/cachi2\" /tmp/\n chmod -R go+rwX /tmp/cachi2\n\n # In case RPMs were prefetched and this is a multi-arch build,\n # clean up the packages that do not match the architecture being built\n RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n echo \"Removing prefetched RPMs from non-matching architectures\"\n PREFETCH_ARCH=\"$(uname -m)\"\n for path in \"$RPM_PREFETCH_DIR\"/*; do\n if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n echo \"Removing: $path\"\n rm -rf \"$path\"\n else\n echo \"Keeping: $path\"\n fi\n done\n fi\n\n VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n sed -E -i \\\n -e 'H;1h;$!d;x' \\\n -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n @igM' \\\n \"$dockerfile_copy\"\n\n prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n mkdir -p \"$YUM_REPOS_D_FETCHED\"\n if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n fi\n fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n \"--label\" \"architecture=$(uname -m)\"\n \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n FINAL_BASE_IMAGE=$(\n # Get the base image of the final stage\n # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n # Run the find_root_stage() function on the final stage\n # If the final stage is scratch or oci-archive, return empty\n jq -r '.Stages as $all_stages |\n def find_root_stage($stage):\n if $stage.From.Stage then\n find_root_stage($all_stages[$stage.From.Stage.Index])\n else\n $stage\n end;\n\n find_root_stage(.Stages[-1]) |\n if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n empty\n else\n .BaseName\n end' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n )\n if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n set_proxy\n buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n unset_proxy\n buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n if [[ \"$label\" != \"--label\" ]]; then\n label_pairs+=(\"$label\")\n fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n echo \"\" \u003e\u003e\"$dockerfile_copy\"\n # Always write labels.json to the new standard location\n echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n # Conditionally write to the old location for backward compatibility\n if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n cp \"$containerignore\" \"$ignorefile_copy\"\n {\n echo \"\"\n echo \"!/labels.json\"\n echo \"!/content-sets.json\"\n } \u003e\u003e \"$ignorefile_copy\"\n BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n# to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n# shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n mkdir -p /shared/rhsm/etc/pki/entitlement\n mkdir -p /shared/rhsm/etc/pki/consumer\n\n VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n echo \"Adding activation key to the build\"\n\n if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n # user is not running registration in the Containerfile: pre-register.\n echo \"Pre-registering with subscription manager.\"\n export RETRY_MAX_TRIES=6\n if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n then\n echo \"Subscription-manager register failed\"\n exit 1\n fi\n unset RETRY_MAX_TRIES\n trap 'subscription-manager unregister || true' EXIT\n\n # copy generated certificates to /shared volume\n cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n exit 1\n fi\n # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n # (we set the workdir using 'unshare -w')\n context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n # Instrumented builds (SAST) use this step as their base and add some other tools.\n while read -r volume_mount; do\n VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n while read -r filename; do\n echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n buildah build\n \"${VOLUME_MOUNTS[@]}\"\n \"${BUILDAH_ARGS[@]}\"\n \"${LABELS[@]}\"\n \"${ANNOTATIONS[@]}\"\n --tls-verify=\"$TLSVERIFY\" --no-cache\n --ulimit nofile=4096:4096\n --http-proxy=false\n -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n echo \"Making copy of sbom-prefetch.json\"\n cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n # Get the image pullspec and filter out a tag if it is not set\n # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n # if buildah did not use that particular image during build because it was skipped\n if [ -n \"$base_image_digest\" ]; then\n echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci:$IMAGE\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/entitlement", "name": "etc-pki-entitlement" }, { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/additional-secret", "name": "additional-secret" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/proxy-ca-bundle", "name": "proxy-ca-bundle", "readOnly": true } ], "workingDir": "/workspace/source" }, { "computeResources": { "limits": { "cpu": "600m", "memory": "4Gi" }, "requests": { "cpu": "600m", "memory": "4Gi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "TASKRUN_NAME", "value": "buildah-demo-iogmdfcwum-build-container" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "push", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n \"$IMAGE\" \\\n \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n echo \"Failed to push image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n \"docker://$IMAGE\"\nthen\n echo \"Failed to push image to $IMAGE\"\n exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n echo -n \"${IMAGE}@\"\n cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n [rekorInternalUrl]=REKOR_URL\n [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n [rekorInternalUrl]=rekorExternalUrl\n [fulcioInternalUrl]=fulcioExternalUrl\n [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n if [ -n \"${val}\" ]; then\n echo \"Using fallback ${fallback_key} instead of ${key}\"\n fi\n fi\n if [ -z \"${val}\" ]; then\n missing=\"${missing:+${missing}, }${key}\"\n else\n declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n configured=$((configured + 1))\n fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n echo \"Keyless signing is enabled\"\n\n # Save signing config for upload-sbom step\n for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n envvar=\"${SIGNING_KEY_MAP[$key]}\"\n printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n done \u003e /shared/signing-config.env\n\n echo \"Using Rekor URL: ${REKOR_URL}\"\n echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n echo \"[$(date --utc -Ins)] Sign image\"\n echo \"Signing image ${IMAGE_REF} using keyless signing\"\n if ! retry cosign sign -y \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"\n then\n echo \"Failed to sign image\" \u003e\u00262\n exit 1\n fi\nelif [ \"${configured}\" -eq 0 ]; then\n echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/workspace/source" }, { "computeResources": { "limits": { "cpu": "1100m", "memory": "4Gi" }, "requests": { "cpu": "1100m", "memory": "4Gi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "sbom-syft-generate", "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\ncase $SBOM_TYPE in\n cyclonedx)\n syft_sbom_type=cyclonedx-json@1.5 ;;\n spdx)\n syft_sbom_type=spdx-json@2.3 ;;\n *)\n echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n exit 1\n ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n oci-dir:\"${OCI_DIR}\"\n --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n echo \"Running syft on the source code\"\n syft \"${syft_source_args[@]}\"\nelse\n echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/workspace/source/source" }, { "args": [ "--additional-base-images" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.2.0-1774868067@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --additional-base-images)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n generate\n --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-image\n --from-syft \"/workspace/source/sbom-image.json\"\n --image-pullspec \"$IMAGE_URL\"\n --image-digest \"$IMAGE_DIGEST\"\n --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n", "securityContext": { "runAsUser": 0 }, "workingDir": "/workspace/source" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n # shellcheck source=/dev/null\n source /shared/signing-config.env\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n # spdx export data as rawstring, we want structured json as cyclonedx\n ATT_SBOM_TYPE=\"spdxjson\"\n fi\n\n echo \"[$(date --utc -Ins)] Sign SBOM\"\n echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"\n then\n echo \"Failed to sign SBOM\" \u003e\u00262\n exit 1\n fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/workspace/source" } ], "volumes": [ { "emptyDir": {}, "name": "varlibcontainers" }, { "emptyDir": {}, "name": "shared" }, { "name": "etc-pki-entitlement", "secret": { "optional": true, "secretName": "etc-pki-entitlement" } }, { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "name": "additional-secret", "secret": { "optional": true, "secretName": "does-not-exist" } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "caching-ca-bundle", "optional": true }, "name": "proxy-ca-bundle" }, { "name": "oidc-token", "projected": { "sources": [ { "serviceAccountToken": { "audience": "sigstore", "expirationSeconds": 600, "path": "oidc-token" } } ] } } ], "workspaces": [ { "description": "Workspace containing the source code to build.", "name": "source" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "chains-e2e-tnts/results/70c121f4-752d-43cd-9101-4e791ce7186c/records/eb8b1266-67de-4cd6-a27a-73d3dd9c2b73", "results.tekton.dev/result": "chains-e2e-tnts/results/70c121f4-752d-43cd-9101-4e791ce7186c", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-374933e4261537e61fc1f7b5fdbc4eac-5c9aeecbfab5fa47-01\"}" }, "creationTimestamp": "2026-05-11T11:28:56Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "app.kubernetes.io/version": "0.3", "build.appstudio.redhat.com/build_type": "docker", "kueue.x-k8s.io/priority-class": "konflux-default", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.openshift.io/runtime": "generic", "pipelines.openshift.io/strategy": "docker", "pipelines.openshift.io/used-by": "build-cloud", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "docker-build", "tekton.dev/pipelineRun": "buildah-demo-iogmdfcwum", "tekton.dev/pipelineRunUID": "70c121f4-752d-43cd-9101-4e791ce7186c", "tekton.dev/pipelineTask": "build-image-index", "tekton.dev/task": "build-image-index" }, "name": "buildah-demo-iogmdfcwum-build-image-index", "namespace": "chains-e2e-tnts", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "buildah-demo-iogmdfcwum", "uid": "70c121f4-752d-43cd-9101-4e791ce7186c" } ], "resourceVersion": "62690", "uid": "eb8b1266-67de-4cd6-a27a-73d3dd9c2b73" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "IMAGES", "value": [ "quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum@sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0" ] }, { "name": "BUILDAH_FORMAT", "value": "docker" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "konflux-integration-runner", "taskRef": { "params": [ { "name": "name", "value": "build-image-index" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.3@sha256:550afde50349e22ec11191ea0db9a49395ab46fef4e8317d820b6e946677ebeb" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:29:07Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:29:07Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "buildah-demo-iogmdfcwum-build-image-index-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "550afde50349e22ec11191ea0db9a49395ab46fef4e8317d820b6e946677ebeb" }, "entryPoint": "build-image-index", "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index" } }, "results": [ { "name": "IMAGES", "type": "string", "value": "quay.io/redhat-appstudio-qe/test-images@sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0" }, { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/test-images@sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum" } ], "spanContext": { "traceparent": "00-374933e4261537e61fc1f7b5fdbc4eac-5c9aeecbfab5fa47-01" }, "startTime": "2026-05-11T11:28:56Z", "steps": [ { "container": "step-build", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "build", "provenance": {}, "terminated": { "containerID": "cri-o://2fcf99d96499fa451c3f233281aef3f75d9f324907e82da2cd5205afb091e866", "exitCode": 0, "finishedAt": "2026-05-11T11:29:03Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/test-images@sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/test-images@sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:29:01Z" }, "terminationReason": "Completed" }, { "container": "step-create-sbom", "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094", "name": "create-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://96193f28bc4c7567cc7f817275f6fe4f85c78c491699d97e8892130bcd45debd", "exitCode": 0, "finishedAt": "2026-05-11T11:29:04Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/test-images@sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/test-images@sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:29:04Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "provenance": {}, "terminated": { "containerID": "cri-o://0edd3e1bb3b99df669fbddddaa299508306fd9ba8ec759dfe93b8358905de9c2", "exitCode": 0, "finishedAt": "2026-05-11T11:29:06Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/test-images@sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/test-images@sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:29:04Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "This takes existing Image Manifests and combines them in an Image Index.", "params": [ { "description": "The target image and tag where the image will be pushed to.", "name": "IMAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "description": "List of Image Manifests to be referenced by the Image Index", "name": "IMAGES", "type": "array" }, { "default": "true", "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.", "name": "ALWAYS_BUILD_INDEX", "type": "string" }, { "default": "vfs", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": "false", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "List of all referenced image manifests", "name": "IMAGES", "type": "string" }, { "description": "Image reference of the built image containing both the repository and the digest", "name": "IMAGE_REF", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "vfs" } ], "volumeMounts": [ { "mountPath": "/index-build-data", "name": "shared-dir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum@sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0" ], "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "cpu": "250m", "memory": "4Gi" } }, "image": "quay.io/konflux-ci/konflux-build-cli:latest@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "build", "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\n\necho \"Running konflux-build-cli\"\nif ! konflux-build-cli image build-image-index \\\n --image \"$IMAGE\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --buildah-format \"$BUILDAH_FORMAT\" \\\n --always-build-index=\"$ALWAYS_BUILD_INDEX\" \\\n --additional-tags \"buildah-demo-iogmdfcwum-build-image-index\" \\\n --output-manifest-path \"$MANIFEST_DATA_FILE\" \\\n --result-path-image-digest \"/tekton/results/IMAGE_DIGEST\" \\\n --result-path-image-url \"/tekton/results/IMAGE_URL\" \\\n --result-path-image-ref \"/tekton/results/IMAGE_REF\" \\\n --result-path-images \"/tekton/results/IMAGES\" \\\n --images \"$@\"; then\n echo \"Failed to build image index\"\n exit 1\nfi\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 } }, { "computeResources": { "limits": { "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094", "name": "create-sbom", "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-index\n --index-image-pullspec \"$IMAGE_URL\"\n --index-image-digest \"$IMAGE_DIGEST\"\n --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n" }, { "computeResources": { "limits": { "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 } } ], "volumes": [ { "emptyDir": {}, "name": "shared-dir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-719fedd652", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "chains-e2e-tnts/results/70c121f4-752d-43cd-9101-4e791ce7186c/records/b7e7a706-5062-42c9-b4ee-efd01da3a9bf", "results.tekton.dev/result": "chains-e2e-tnts/results/70c121f4-752d-43cd-9101-4e791ce7186c", "results.tekton.dev/stored": "true", "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-374933e4261537e61fc1f7b5fdbc4eac-9899ce6dfd17f191-01\"}" }, "creationTimestamp": "2026-05-11T11:26:13Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "app.kubernetes.io/version": "0.1", "kueue.x-k8s.io/priority-class": "konflux-default", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.openshift.io/runtime": "generic", "pipelines.openshift.io/strategy": "docker", "pipelines.openshift.io/used-by": "build-cloud", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "docker-build", "tekton.dev/pipelineRun": "buildah-demo-iogmdfcwum", "tekton.dev/pipelineRunUID": "70c121f4-752d-43cd-9101-4e791ce7186c", "tekton.dev/pipelineTask": "clone-repository", "tekton.dev/task": "git-clone" }, "name": "buildah-demo-iogmdfcwum-clone-repository", "namespace": "chains-e2e-tnts", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "buildah-demo-iogmdfcwum", "uid": "70c121f4-752d-43cd-9101-4e791ce7186c" } ], "resourceVersion": "55114", "uid": "b7e7a706-5062-42c9-b4ee-efd01da3a9bf" }, "spec": { "params": [ { "name": "url", "value": "https://github.com/conforma/golden-container.git" }, { "name": "revision", "value": "" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "konflux-integration-runner", "taskRef": { "params": [ { "name": "name", "value": "git-clone" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "output", "persistentVolumeClaim": { "claimName": "app-studio-default-workspace" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:26:27Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:26:27Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "buildah-demo-iogmdfcwum-clone-repository-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21" }, "entryPoint": "git-clone", "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone" } }, "results": [ { "name": "CHAINS-GIT_COMMIT", "type": "string", "value": "be3214825d8af1a44d1406df6233660e8372d26f" }, { "name": "CHAINS-GIT_URL", "type": "string", "value": "https://github.com/conforma/golden-container.git" }, { "name": "commit", "type": "string", "value": "be3214825d8af1a44d1406df6233660e8372d26f" }, { "name": "commit-timestamp", "type": "string", "value": "1775533888" }, { "name": "short-commit", "type": "string", "value": "be32148" }, { "name": "url", "type": "string", "value": "https://github.com/conforma/golden-container.git" } ], "spanContext": { "traceparent": "00-374933e4261537e61fc1f7b5fdbc4eac-9899ce6dfd17f191-01" }, "startTime": "2026-05-11T11:26:13Z", "steps": [ { "container": "step-clone", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "provenance": {}, "terminated": { "containerID": "cri-o://0ec767c84241001e9859b172571f3f2bd2da807cce6464da94615ce4b6418096", "exitCode": 0, "finishedAt": "2026-05-11T11:26:25Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"be3214825d8af1a44d1406df6233660e8372d26f\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/conforma/golden-container.git\",\"type\":1},{\"key\":\"commit\",\"value\":\"be3214825d8af1a44d1406df6233660e8372d26f\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1775533888\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"be32148\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/conforma/golden-container.git\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:26:25Z" }, "terminationReason": "Completed" }, { "container": "step-symlink-check", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "provenance": {}, "terminated": { "containerID": "cri-o://fc2f4d62a4d8ea1049e0b191e8594c5598d7d7ccc6efd9a4e42411b3febfcbd1", "exitCode": 0, "finishedAt": "2026-05-11T11:26:26Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"be3214825d8af1a44d1406df6233660e8372d26f\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/conforma/golden-container.git\",\"type\":1},{\"key\":\"commit\",\"value\":\"be3214825d8af1a44d1406df6233660e8372d26f\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1775533888\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"be32148\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/conforma/golden-container.git\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:26:26Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.", "params": [ { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "source", "description": "Subdirectory inside the `output` Workspace to clone the repo into.", "name": "subdirectory", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Clean out the contents of the destination directory if it already exists before cloning.", "name": "deleteExisting", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" }, { "default": "", "description": "Deprecated. Has no effect. Will be removed in the future.", "name": "gitInitImage", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" } ], "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "PARAM_URL", "value": "https://github.com/conforma/golden-container.git" }, { "name": "PARAM_REVISION" }, { "name": "PARAM_REFSPEC" }, { "name": "PARAM_SUBMODULES", "value": "true" }, { "name": "PARAM_SUBMODULE_PATHS" }, { "name": "PARAM_DEPTH", "value": "1" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "7" }, { "name": "PARAM_SSL_VERIFY", "value": "true" }, { "name": "PARAM_SUBDIRECTORY", "value": "source" }, { "name": "PARAM_DELETE_EXISTING", "value": "true" }, { "name": "PARAM_HTTP_PROXY" }, { "name": "PARAM_HTTPS_PROXY" }, { "name": "PARAM_NO_PROXY" }, { "name": "PARAM_VERBOSE", "value": "false" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES" }, { "name": "PARAM_USER_HOME", "value": "/tekton/home" }, { "name": "PARAM_FETCH_TAGS", "value": "false" }, { "name": "PARAM_GIT_INIT_IMAGE" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "false" }, { "name": "PARAM_TARGET_BRANCH", "value": "main" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL" }, { "name": "PARAM_MERGE_SOURCE_DEPTH" }, { "name": "WORKSPACE_OUTPUT_PATH", "value": "/workspace/output" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "false" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "false" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n # Delete any existing contents of the repo directory if it exists.\n #\n # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n # or the root of a mounted volume.\n if [ -d \"${CHECKOUT_DIR}\" ] ; then\n # Delete non-hidden files and directories\n rm -rf \"${CHECKOUT_DIR:?}\"/*\n # Delete files and directories starting with . but excluding ..\n rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n # Delete files and directories starting with .. plus any other character\n rm -rf \"${CHECKOUT_DIR}\"/..?*\n fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit 1\nfi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "true" }, { "name": "PARAM_SUBDIRECTORY", "value": "source" }, { "name": "WORKSPACE_OUTPUT_PATH", "value": "/workspace/output" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink\n do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ], "workspaces": [ { "description": "The git repo will be cloned onto the volume backing this Workspace.", "name": "output" }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true }, { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "chains-e2e-tnts/results/70c121f4-752d-43cd-9101-4e791ce7186c/records/f79c9ead-8cb8-4f9c-b324-5db582865624", "results.tekton.dev/result": "chains-e2e-tnts/results/70c121f4-752d-43cd-9101-4e791ce7186c", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-374933e4261537e61fc1f7b5fdbc4eac-79169ba58d257149-01\"}" }, "creationTimestamp": "2026-05-11T11:25:59Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "app.kubernetes.io/version": "0.4.2", "kueue.x-k8s.io/priority-class": "konflux-default", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.openshift.io/runtime": "generic", "pipelines.openshift.io/strategy": "docker", "pipelines.openshift.io/used-by": "build-cloud", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "docker-build", "tekton.dev/pipelineRun": "buildah-demo-iogmdfcwum", "tekton.dev/pipelineRunUID": "70c121f4-752d-43cd-9101-4e791ce7186c", "tekton.dev/pipelineTask": "init", "tekton.dev/task": "init" }, "name": "buildah-demo-iogmdfcwum-init", "namespace": "chains-e2e-tnts", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "buildah-demo-iogmdfcwum", "uid": "70c121f4-752d-43cd-9101-4e791ce7186c" } ], "resourceVersion": "54108", "uid": "f79c9ead-8cb8-4f9c-b324-5db582865624" }, "spec": { "params": [ { "name": "enable-cache-proxy", "value": "false" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "konflux-integration-runner", "taskRef": { "params": [ { "name": "name", "value": "init" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:26:13Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:26:13Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "buildah-demo-iogmdfcwum-init-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08" }, "entryPoint": "init", "uri": "quay.io/konflux-ci/tekton-catalog/task-init" } }, "results": [ { "name": "http-proxy", "type": "string", "value": "" }, { "name": "no-proxy", "type": "string", "value": "" } ], "spanContext": { "traceparent": "00-374933e4261537e61fc1f7b5fdbc4eac-79169ba58d257149-01" }, "startTime": "2026-05-11T11:25:59Z", "steps": [ { "container": "step-init", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:25fa4c4eeec8509c3486d24d3d215fc4c8280b1b0ca9cc8f4f7569f3a9523a25", "name": "init", "provenance": {}, "terminated": { "containerID": "cri-o://6bc43477bd130b7cd4f60d5e2147504839a149044e14af5bbd5db1ad8ebc5bcf", "exitCode": 0, "finishedAt": "2026-05-11T11:26:12Z", "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-11T11:26:12Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.", "params": [ { "default": "false", "description": "Enable cache proxy configuration", "name": "enable-cache-proxy", "type": "string" } ], "results": [ { "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)", "name": "http-proxy", "type": "string" }, { "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)", "name": "no-proxy", "type": "string" } ], "steps": [ { "args": [ "--enable", "false" ], "command": [ "konflux-build-cli", "config", "cache-proxy" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" }, { "name": "DEFAULT_HTTP_PROXY", "value": "squid.caching.svc.cluster.local:3128" }, { "name": "DEFAULT_NO_PROXY", "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai" }, { "name": "HTTP_PROXY_RESULTS_PATH", "value": "/tekton/results/http-proxy" }, { "name": "NO_PROXY_RESULTS_PATH", "value": "/tekton/results/no-proxy" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "init" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-719fedd652", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "chains-e2e-tnts/results/70c121f4-752d-43cd-9101-4e791ce7186c/records/16d75784-98c8-41b4-b073-ea4f3481fae5", "results.tekton.dev/result": "chains-e2e-tnts/results/70c121f4-752d-43cd-9101-4e791ce7186c", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-374933e4261537e61fc1f7b5fdbc4eac-b9b98da72e0c408f-01\"}" }, "creationTimestamp": "2026-05-11T11:26:29Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "app.kubernetes.io/version": "0.3.2", "kueue.x-k8s.io/priority-class": "konflux-default", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.openshift.io/runtime": "generic", "pipelines.openshift.io/strategy": "docker", "pipelines.openshift.io/used-by": "build-cloud", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "docker-build", "tekton.dev/pipelineRun": "buildah-demo-iogmdfcwum", "tekton.dev/pipelineRunUID": "70c121f4-752d-43cd-9101-4e791ce7186c", "tekton.dev/pipelineTask": "prefetch-dependencies", "tekton.dev/task": "prefetch-dependencies" }, "name": "buildah-demo-iogmdfcwum-prefetch-dependencies", "namespace": "chains-e2e-tnts", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "buildah-demo-iogmdfcwum", "uid": "70c121f4-752d-43cd-9101-4e791ce7186c" } ], "resourceVersion": "56503", "uid": "16d75784-98c8-41b4-b073-ea4f3481fae5" }, "spec": { "params": [ { "name": "input", "value": "" }, { "name": "enable-package-registry-proxy", "value": "true" } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "konflux-integration-runner", "taskRef": { "params": [ { "name": "name", "value": "prefetch-dependencies" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:214dcd12ea5b30c431dc0a1fae483422c6d397e453f9e832489e93a47853c58f" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "source", "persistentVolumeClaim": { "claimName": "app-studio-default-workspace" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:26:56Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:26:56Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "buildah-demo-iogmdfcwum-prefetch-dependencies-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "214dcd12ea5b30c431dc0a1fae483422c6d397e453f9e832489e93a47853c58f" }, "entryPoint": "prefetch-dependencies", "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies" } }, "spanContext": { "traceparent": "00-374933e4261537e61fc1f7b5fdbc4eac-b9b98da72e0c408f-01" }, "startTime": "2026-05-11T11:26:29Z", "steps": [ { "container": "step-prefetch-dependencies", "imageID": "quay.io/konflux-ci/hermeto@sha256:4899755ffd1574547102a58469aea916822c7fd7825cbec8e477e1b57668a6d7", "name": "prefetch-dependencies", "provenance": {}, "terminated": { "containerID": "cri-o://3d626e80d3efebda0deaee34ba391788a2a63f40d91a11a581f6115e6be5f139", "exitCode": 0, "finishedAt": "2026-05-11T11:26:55Z", "reason": "Completed", "startedAt": "2026-05-11T11:26:52Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Task that prefetches project dependencies for hermetic build.", "params": [ { "description": "Configures project packages that will have their dependencies prefetched.", "name": "input", "type": "string" }, { "default": "debug", "description": "Set the logging level (debug, info, warn, error, fatal).", "name": "log-level", "type": "string" }, { "default": "", "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n", "name": "config-file-content", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.", "name": "sbom-type", "type": "string" }, { "default": "strict", "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).", "name": "mode", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "service-ca.crt", "description": "The name of the key in the ConfigMap that contains the service CA bundle data. Used to verify TLS connections to in-cluster services such as the package registry proxy.", "name": "SERVICE_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "openshift-service-ca.crt", "description": "The name of the ConfigMap to read service CA bundle data from. Used to verify TLS connections to in-cluster services such as the package registry proxy.", "name": "SERVICE_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "true", "description": "Use the package registry proxy when prefetching dependencies", "name": "enable-package-registry-proxy", "type": "string" }, { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "1", "memory": "3Gi" }, "requests": { "cpu": "1", "memory": "3Gi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "debug" }, { "name": "KBC_PD_INPUT" }, { "name": "KBC_PD_SOURCE_DIR", "value": "/workspace/source/source" }, { "name": "KBC_PD_OUTPUT_DIR", "value": "/workspace/source/cachi2/output" }, { "name": "KBC_PD_SBOM_FORMAT", "value": "spdx" }, { "name": "KBC_PD_MODE", "value": "strict" }, { "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT", "value": "/cachi2/output" }, { "name": "KBC_PD_ENV_FILES", "value": "/workspace/source/cachi2/cachi2.env /workspace/source/cachi2/prefetch.env /workspace/source/cachi2/prefetch-env.json" }, { "name": "KBC_PD_GIT_AUTH_DIRECTORY" }, { "name": "WORKSPACE_NETRC_PATH" }, { "name": "CONFIG_FILE_CONTENT" }, { "name": "KBC_PD_ENABLE_PACKAGE_REGISTRY_PROXY", "value": "true" } ], "image": "quay.io/konflux-ci/hermeto:0.51.0@sha256:4899755ffd1574547102a58469aea916822c7fd7825cbec8e477e1b57668a6d7", "name": "prefetch-dependencies", "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nSERVICE_CA_BUNDLE_PATH=/mnt/service-ca/ca-bundle.crt\nUPDATE_CA_TRUST=false\n\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n echo \"Using mounted CA bundle: $CA_BUNDLE_PATH\"\n cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n UPDATE_CA_TRUST=true\nfi\n\nif [ -f \"$SERVICE_CA_BUNDLE_PATH\" ]; then\n echo \"Using mounted service CA bundle: $SERVICE_CA_BUNDLE_PATH\"\n cp -vf \"$SERVICE_CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/service-ca.crt\n UPDATE_CA_TRUST=true\nfi\n\nif [ \"$UPDATE_CA_TRUST\" = \"true\" ]; then\n update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n export KBC_PD_RHSM_ORG=/activation-key/org\n export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n", "volumeMounts": [ { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/mnt/config", "name": "config" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/service-ca", "name": "service-ca", "readOnly": true } ] } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "configMap": { "items": [ { "key": "service-ca.crt", "path": "ca-bundle.crt" } ], "name": "openshift-service-ca.crt", "optional": true }, "name": "service-ca" }, { "emptyDir": {}, "name": "config" } ], "workspaces": [ { "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well", "name": "source" }, { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n", "name": "git-basic-auth", "optional": true }, { "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n", "name": "netrc", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-719fedd652", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "chains-e2e-tnts/results/70c121f4-752d-43cd-9101-4e791ce7186c/records/47fc9035-30c4-4bf1-aa04-b6d2ee568193", "results.tekton.dev/result": "chains-e2e-tnts/results/70c121f4-752d-43cd-9101-4e791ce7186c", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, appstudio", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-374933e4261537e61fc1f7b5fdbc4eac-4f27a34b4653d0b6-01\"}" }, "creationTimestamp": "2026-05-11T11:29:13Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "app.kubernetes.io/version": "0.3.1", "build.appstudio.redhat.com/build_type": "docker", "kueue.x-k8s.io/priority-class": "konflux-default", "kueue.x-k8s.io/queue-name": "pipelines-queue", "pipelines.openshift.io/runtime": "generic", "pipelines.openshift.io/strategy": "docker", "pipelines.openshift.io/used-by": "build-cloud", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "docker-build", "tekton.dev/pipelineRun": "buildah-demo-iogmdfcwum", "tekton.dev/pipelineRunUID": "70c121f4-752d-43cd-9101-4e791ce7186c", "tekton.dev/pipelineTask": "push-dockerfile", "tekton.dev/task": "push-dockerfile" }, "name": "buildah-demo-iogmdfcwum-push-dockerfile", "namespace": "chains-e2e-tnts", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "buildah-demo-iogmdfcwum", "uid": "70c121f4-752d-43cd-9101-4e791ce7186c" } ], "resourceVersion": "64884", "uid": "47fc9035-30c4-4bf1-aa04-b6d2ee568193" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum" }, { "name": "IMAGE_DIGEST", "value": "sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0" }, { "name": "DOCKERFILE", "value": "Containerfile" }, { "name": "CONTEXT", "value": "." } ], "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "konflux-integration-runner", "taskRef": { "params": [ { "name": "name", "value": "push-dockerfile" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:359199272c9a403275162a6741d098d7987334232630b59093d781c743fa99e7" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "2h0m0s", "workspaces": [ { "name": "workspace", "persistentVolumeClaim": { "claimName": "app-studio-default-workspace" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-05-11T11:30:23Z", "conditions": [ { "lastTransitionTime": "2026-05-11T11:30:23Z", "message": "build failed for unspecified reasons.", "reason": "Failed", "status": "False", "type": "Succeeded" } ], "podName": "buildah-demo-iogmdfcwum-push-dockerfile-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "359199272c9a403275162a6741d098d7987334232630b59093d781c743fa99e7" }, "entryPoint": "push-dockerfile", "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile" } }, "spanContext": { "traceparent": "00-374933e4261537e61fc1f7b5fdbc4eac-4f27a34b4653d0b6-01" }, "startTime": "2026-05-11T11:29:13Z", "steps": [ { "container": "step-push", "name": "push", "provenance": {}, "waiting": { "reason": "PodInitializing" } } ], "taskSpec": { "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.", "params": [ { "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.", "name": "IMAGE", "type": "string" }, { "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.", "name": "IMAGE_DIGEST", "type": "string" }, { "default": "./Dockerfile", "description": "Path to the Dockerfile.", "name": "DOCKERFILE", "type": "string" }, { "default": ".", "description": "Path to the directory to use as context.", "name": "CONTEXT", "type": "string" }, { "default": ".dockerfile", "description": "Suffix of the Dockerfile image tag.", "name": "TAG_SUFFIX", "type": "string" }, { "default": "application/vnd.konflux.dockerfile", "description": "Artifact type of the Dockerfile image.", "name": "ARTIFACT_TYPE", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "info", "description": "Log level to use in the task. See golang logrus docs for available levels.", "name": "LOG_LEVEL", "type": "string" } ], "results": [ { "description": "Digest-pinned image reference to the Dockerfile image.", "name": "IMAGE_REF", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "args": [ "--source", "source", "--context", ".", "--containerfile", "Containerfile", "--image-url", "quay.io/redhat-appstudio-qe/test-images:buildah-demo-iogmdfcwum", "--image-digest", "sha256:99deb43d3cda48feeb3318a3539757340541b737de4a27812bcefe02cca107b0", "--artifact-type", "application/vnd.konflux.dockerfile", "--tag-suffix", ".dockerfile", "--result-path-image-ref", "/tekton/results/IMAGE_REF", "--alternative-filename", "Dockerfile" ], "command": [ "konflux-build-cli", "image", "push-containerfile" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "push", "workingDir": "/workspace/workspace" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ], "workspaces": [ { "description": "Workspace containing the source code from where the Dockerfile is discovered.", "name": "workspace" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "kueue.konflux-ci.dev/requests-mintmaker": "1", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "mintmaker/results/88d306d1-6058-496f-946b-9c272b7ae3f5/records/225526ef-6cd3-4b41-b734-91d4ff5f49e7", "results.tekton.dev/result": "mintmaker/results/88d306d1-6058-496f-946b-9c272b7ae3f5", "results.tekton.dev/stored": "true", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-0a8d5ffaab894cd5d6b81cca4f46b4fe-72f12a589ffc326d-01\"}" }, "creationTimestamp": "2026-05-11T12:00:08Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "kueue.x-k8s.io/priority-class": "konflux-dependency-update", "kueue.x-k8s.io/queue-name": "pipelines-queue", "mintmaker.appstudio.redhat.com/application": "build-suite-component-update-tqpg", "mintmaker.appstudio.redhat.com/branch": "multi-component-child-base-rexo", "mintmaker.appstudio.redhat.com/component": "gl-multi-component-child-rexo", "mintmaker.appstudio.redhat.com/git-host": "gitlab.com", "mintmaker.appstudio.redhat.com/git-platform": "gitlab", "mintmaker.appstudio.redhat.com/namespace": "build-e2e-fnyl", "mintmaker.appstudio.redhat.com/repo-branch-hash": "6afec0741891", "mintmaker.appstudio.redhat.com/repository": "konflux-qe_build-nudge-child-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "renovate-05111200-a01d649f", "tekton.dev/pipelineRun": "renovate-05111200-a01d649f", "tekton.dev/pipelineRunUID": "88d306d1-6058-496f-946b-9c272b7ae3f5", "tekton.dev/pipelineTask": "build" }, "name": "renovate-05111200-a01d649f-build", "namespace": "mintmaker", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "renovate-05111200-a01d649f", "uid": "88d306d1-6058-496f-946b-9c272b7ae3f5" } ], "resourceVersion": "111288", "uid": "225526ef-6cd3-4b41-b734-91d4ff5f49e7" }, "spec": { "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "mintmaker-controller-manager", "taskSpec": { "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/mintmaker-osv-database:latest", "name": "prepare-db", "script": "echo 'Copying OSV database to the shared workspace'; cp -r /data/osv-db /workspace/shared-data", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsNonRoot": true, "runAsUser": 1001120000 } }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "registry.access.redhat.com/ubi9", "name": "prepare-rpm-cert", "script": "[ ! -f \"/etc/renovate/secret/rpm-activationkey\" ] \u0026\u0026 echo 'RPM secret not found. Exiting.' \u0026\u0026 exit 0;echo 'Generating RPM certificate and copying it to shared workspace';KEY_NAME=$(cat /etc/renovate/secret/rpm-activationkey);ORG_ID=$(cat /etc/renovate/secret/rpm-org);subscription-manager register --activationkey=\"$KEY_NAME\" --org=\"$ORG_ID\";mkdir -p /workspace/shared-data/rpm-certs;cp /etc/pki/entitlement/*-key.pem /workspace/shared-data/rpm-certs/key.pem;cp $(find /etc/pki/entitlement -maxdepth 1 -type f -name '*.pem' ! -name '*-key.pem' -print -quit) /workspace/shared-data/rpm-certs/cert.pem", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsUser": 0 } }, { "computeResources": { "limits": { "cpu": "300m", "memory": "3584Mi" }, "requests": { "cpu": "300m", "memory": "3584Mi" } }, "env": [ { "name": "HOME", "value": "/home/renovate" }, { "name": "LOG_LEVEL", "value": "debug" }, { "name": "LOG_FORMAT", "value": "json" }, { "name": "OSV_OFFLINE_DISABLE_DOWNLOAD", "value": "true" }, { "name": "OSV_OFFLINE_ROOT_DIR", "value": "/workspace/shared-data/osv-db" }, { "name": "DNF_VAR_SSL_CLIENT_KEY", "value": "/workspace/shared-data/rpm-certs/key.pem" }, { "name": "DNF_VAR_SSL_CLIENT_CERT", "value": "/workspace/shared-data/rpm-certs/cert.pem" }, { "name": "RENOVATE_X_GITLAB_AUTO_MERGEABLE_CHECK_ATTEMPS", "value": "7" } ], "image": "quay.io/konflux-ci/mintmaker-renovate-image:latest", "name": "renovate", "script": "RENOVATE_TOKEN=$(cat /etc/renovate/secret/renovate-token) RENOVATE_CONFIG_FILE=/etc/renovate/config/config.js LOG_FILE=/workspace/shared-data/renovate-logs.json renovate || true", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsNonRoot": true, "runAsUser": 1001120000 }, "volumeMounts": [ { "mountPath": "/etc/renovate/config", "name": "configmap-renovate-05111200-a01d649f", "readOnly": true }, { "mountPath": "/etc/renovate/secret", "name": "secret-renovate-05111200-a01d649f-97c0f852", "readOnly": true }, { "mountPath": "/etc/pki/ca-trust/extracted/pem", "name": "configmap-trusted-ca-6ct58987ht", "readOnly": true } ] } ], "volumes": [ { "configMap": { "defaultMode": 420, "items": [ { "key": "config.js", "path": "config.js" } ], "name": "renovate-05111200-a01d649f", "optional": false }, "name": "configmap-renovate-05111200-a01d649f" }, { "name": "secret-renovate-05111200-a01d649f-97c0f852", "secret": { "defaultMode": 420, "items": [ { "key": "renovate-token", "path": "renovate-token" } ], "optional": false, "secretName": "renovate-05111200-a01d649f" } }, { "configMap": { "defaultMode": 420, "items": [ { "key": "ca-bundle.crt", "path": "tls-ca-bundle.pem" } ], "name": "trusted-ca-6ct58987ht", "optional": false }, "name": "configmap-trusted-ca-6ct58987ht" } ], "workspaces": [ { "name": "shared-data" } ] }, "timeout": "2h0m0s", "workspaces": [ { "emptyDir": {}, "name": "shared-data" } ] }, "status": { "completionTime": "2026-05-11T12:02:08Z", "conditions": [ { "lastTransitionTime": "2026-05-11T12:02:08Z", "message": "the step \"renovate\" in TaskRun \"renovate-05111200-a01d649f-build\" failed to pull the image \"\". The pod errored with the message: \"Back-off pulling image \"quay.io/konflux-ci/mintmaker-renovate-image:latest\".\"", "reason": "TaskRunImagePullFailed", "status": "False", "type": "Succeeded" } ], "podName": "renovate-05111200-a01d649f-build-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" } }, "spanContext": { "traceparent": "00-0a8d5ffaab894cd5d6b81cca4f46b4fe-72f12a589ffc326d-01" }, "startTime": "2026-05-11T12:00:09Z", "steps": [ { "container": "step-prepare-db", "imageID": "quay.io/konflux-ci/mintmaker-osv-database@sha256:58224f8f1ff2c55a6eace0b5fee5176980777b1e1c6fbec29654a229c7757d2a", "name": "prepare-db", "provenance": {}, "terminated": { "exitCode": 1, "finishedAt": "2026-05-11T12:02:08Z", "message": "Step prepare-db terminated as pod renovate-05111200-a01d649f-build-pod is terminated", "reason": "TaskRunImagePullFailed", "startedAt": "2026-05-11T12:00:13Z" }, "terminationReason": "TaskRunImagePullFailed" }, { "container": "step-prepare-rpm-cert", "imageID": "registry.access.redhat.com/ubi9@sha256:2323fcffe84ab72fa11b611be567d8a1bc6f83d3ed3a80327b18399258ea9aa6", "name": "prepare-rpm-cert", "provenance": {}, "terminated": { "exitCode": 1, "finishedAt": "2026-05-11T12:02:08Z", "message": "Step prepare-rpm-cert terminated as pod renovate-05111200-a01d649f-build-pod is terminated", "reason": "TaskRunImagePullFailed", "startedAt": "2026-05-11T12:00:16Z" }, "terminationReason": "TaskRunImagePullFailed" }, { "container": "step-renovate", "name": "renovate", "provenance": {}, "terminated": { "exitCode": 1, "finishedAt": "2026-05-11T12:02:08Z", "message": "Step renovate terminated as pod renovate-05111200-a01d649f-build-pod is terminated", "reason": "TaskRunImagePullFailed", "startedAt": "2026-05-11T12:00:08Z" }, "terminationReason": "TaskRunImagePullFailed" } ], "taskSpec": { "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/mintmaker-osv-database:latest", "name": "prepare-db", "script": "echo 'Copying OSV database to the shared workspace'; cp -r /data/osv-db /workspace/shared-data", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsNonRoot": true, "runAsUser": 1001120000 } }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "registry.access.redhat.com/ubi9", "name": "prepare-rpm-cert", "script": "[ ! -f \"/etc/renovate/secret/rpm-activationkey\" ] \u0026\u0026 echo 'RPM secret not found. Exiting.' \u0026\u0026 exit 0;echo 'Generating RPM certificate and copying it to shared workspace';KEY_NAME=$(cat /etc/renovate/secret/rpm-activationkey);ORG_ID=$(cat /etc/renovate/secret/rpm-org);subscription-manager register --activationkey=\"$KEY_NAME\" --org=\"$ORG_ID\";mkdir -p /workspace/shared-data/rpm-certs;cp /etc/pki/entitlement/*-key.pem /workspace/shared-data/rpm-certs/key.pem;cp $(find /etc/pki/entitlement -maxdepth 1 -type f -name '*.pem' ! -name '*-key.pem' -print -quit) /workspace/shared-data/rpm-certs/cert.pem", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsUser": 0 } }, { "computeResources": { "limits": { "cpu": "300m", "memory": "3584Mi" }, "requests": { "cpu": "300m", "memory": "3584Mi" } }, "env": [ { "name": "HOME", "value": "/home/renovate" }, { "name": "LOG_LEVEL", "value": "debug" }, { "name": "LOG_FORMAT", "value": "json" }, { "name": "OSV_OFFLINE_DISABLE_DOWNLOAD", "value": "true" }, { "name": "OSV_OFFLINE_ROOT_DIR", "value": "/workspace/shared-data/osv-db" }, { "name": "DNF_VAR_SSL_CLIENT_KEY", "value": "/workspace/shared-data/rpm-certs/key.pem" }, { "name": "DNF_VAR_SSL_CLIENT_CERT", "value": "/workspace/shared-data/rpm-certs/cert.pem" }, { "name": "RENOVATE_X_GITLAB_AUTO_MERGEABLE_CHECK_ATTEMPS", "value": "7" } ], "image": "quay.io/konflux-ci/mintmaker-renovate-image:latest", "name": "renovate", "script": "RENOVATE_TOKEN=$(cat /etc/renovate/secret/renovate-token) RENOVATE_CONFIG_FILE=/etc/renovate/config/config.js LOG_FILE=/workspace/shared-data/renovate-logs.json renovate || true", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsNonRoot": true, "runAsUser": 1001120000 }, "volumeMounts": [ { "mountPath": "/etc/renovate/config", "name": "configmap-renovate-05111200-a01d649f", "readOnly": true }, { "mountPath": "/etc/renovate/secret", "name": "secret-renovate-05111200-a01d649f-97c0f852", "readOnly": true }, { "mountPath": "/etc/pki/ca-trust/extracted/pem", "name": "configmap-trusted-ca-6ct58987ht", "readOnly": true } ] } ], "volumes": [ { "configMap": { "defaultMode": 420, "items": [ { "key": "config.js", "path": "config.js" } ], "name": "renovate-05111200-a01d649f", "optional": false }, "name": "configmap-renovate-05111200-a01d649f" }, { "name": "secret-renovate-05111200-a01d649f-97c0f852", "secret": { "defaultMode": 420, "items": [ { "key": "renovate-token", "path": "renovate-token" } ], "optional": false, "secretName": "renovate-05111200-a01d649f" } }, { "configMap": { "defaultMode": 420, "items": [ { "key": "ca-bundle.crt", "path": "tls-ca-bundle.pem" } ], "name": "trusted-ca-6ct58987ht", "optional": false }, "name": "configmap-trusted-ca-6ct58987ht" } ], "workspaces": [ { "name": "shared-data" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "kueue.konflux-ci.dev/requests-mintmaker": "1", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "mintmaker/results/f41a116c-817e-4b75-a9b2-5aa60dce6bfd/records/de282865-e1fb-4b8f-9702-66bae52192f3", "results.tekton.dev/result": "mintmaker/results/f41a116c-817e-4b75-a9b2-5aa60dce6bfd", "results.tekton.dev/stored": "true", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-a8bc4b0742dc8e38b72d0aedff691d41-0d240cdf0fd9123c-01\"}" }, "creationTimestamp": "2026-05-11T12:00:09Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "kueue.x-k8s.io/priority-class": "konflux-dependency-update", "kueue.x-k8s.io/queue-name": "pipelines-queue", "mintmaker.appstudio.redhat.com/application": "build-suite-component-update-tqpg", "mintmaker.appstudio.redhat.com/branch": "multi-component-parent-base-rexo", "mintmaker.appstudio.redhat.com/component": "gl-multi-component-parent-rexo", "mintmaker.appstudio.redhat.com/git-host": "gitlab.com", "mintmaker.appstudio.redhat.com/git-platform": "gitlab", "mintmaker.appstudio.redhat.com/namespace": "build-e2e-fnyl", "mintmaker.appstudio.redhat.com/repo-branch-hash": "fe89f3910a40", "mintmaker.appstudio.redhat.com/repository": "konflux-qe_build-nudge-parent-twjokv", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "renovate-05111200-d3d8090a", "tekton.dev/pipelineRun": "renovate-05111200-d3d8090a", "tekton.dev/pipelineRunUID": "f41a116c-817e-4b75-a9b2-5aa60dce6bfd", "tekton.dev/pipelineTask": "build" }, "name": "renovate-05111200-d3d8090a-build", "namespace": "mintmaker", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "renovate-05111200-d3d8090a", "uid": "f41a116c-817e-4b75-a9b2-5aa60dce6bfd" } ], "resourceVersion": "111362", "uid": "de282865-e1fb-4b8f-9702-66bae52192f3" }, "spec": { "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "mintmaker-controller-manager", "taskSpec": { "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/mintmaker-osv-database:latest", "name": "prepare-db", "script": "echo 'Copying OSV database to the shared workspace'; cp -r /data/osv-db /workspace/shared-data", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsNonRoot": true, "runAsUser": 1001120000 } }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "registry.access.redhat.com/ubi9", "name": "prepare-rpm-cert", "script": "[ ! -f \"/etc/renovate/secret/rpm-activationkey\" ] \u0026\u0026 echo 'RPM secret not found. Exiting.' \u0026\u0026 exit 0;echo 'Generating RPM certificate and copying it to shared workspace';KEY_NAME=$(cat /etc/renovate/secret/rpm-activationkey);ORG_ID=$(cat /etc/renovate/secret/rpm-org);subscription-manager register --activationkey=\"$KEY_NAME\" --org=\"$ORG_ID\";mkdir -p /workspace/shared-data/rpm-certs;cp /etc/pki/entitlement/*-key.pem /workspace/shared-data/rpm-certs/key.pem;cp $(find /etc/pki/entitlement -maxdepth 1 -type f -name '*.pem' ! -name '*-key.pem' -print -quit) /workspace/shared-data/rpm-certs/cert.pem", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsUser": 0 } }, { "computeResources": { "limits": { "cpu": "300m", "memory": "3584Mi" }, "requests": { "cpu": "300m", "memory": "3584Mi" } }, "env": [ { "name": "HOME", "value": "/home/renovate" }, { "name": "LOG_LEVEL", "value": "debug" }, { "name": "LOG_FORMAT", "value": "json" }, { "name": "OSV_OFFLINE_DISABLE_DOWNLOAD", "value": "true" }, { "name": "OSV_OFFLINE_ROOT_DIR", "value": "/workspace/shared-data/osv-db" }, { "name": "DNF_VAR_SSL_CLIENT_KEY", "value": "/workspace/shared-data/rpm-certs/key.pem" }, { "name": "DNF_VAR_SSL_CLIENT_CERT", "value": "/workspace/shared-data/rpm-certs/cert.pem" }, { "name": "RENOVATE_X_GITLAB_AUTO_MERGEABLE_CHECK_ATTEMPS", "value": "7" } ], "image": "quay.io/konflux-ci/mintmaker-renovate-image:latest", "name": "renovate", "script": "RENOVATE_TOKEN=$(cat /etc/renovate/secret/renovate-token) RENOVATE_CONFIG_FILE=/etc/renovate/config/config.js LOG_FILE=/workspace/shared-data/renovate-logs.json renovate || true", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsNonRoot": true, "runAsUser": 1001120000 }, "volumeMounts": [ { "mountPath": "/etc/renovate/config", "name": "configmap-renovate-05111200-d3d8090a", "readOnly": true }, { "mountPath": "/etc/renovate/secret", "name": "secret-renovate-05111200-d3d8090a-a89534b8", "readOnly": true }, { "mountPath": "/etc/pki/ca-trust/extracted/pem", "name": "configmap-trusted-ca-6ct58987ht", "readOnly": true } ] } ], "volumes": [ { "configMap": { "defaultMode": 420, "items": [ { "key": "config.js", "path": "config.js" } ], "name": "renovate-05111200-d3d8090a", "optional": false }, "name": "configmap-renovate-05111200-d3d8090a" }, { "name": "secret-renovate-05111200-d3d8090a-a89534b8", "secret": { "defaultMode": 420, "items": [ { "key": "renovate-token", "path": "renovate-token" } ], "optional": false, "secretName": "renovate-05111200-d3d8090a" } }, { "configMap": { "defaultMode": 420, "items": [ { "key": "ca-bundle.crt", "path": "tls-ca-bundle.pem" } ], "name": "trusted-ca-6ct58987ht", "optional": false }, "name": "configmap-trusted-ca-6ct58987ht" } ], "workspaces": [ { "name": "shared-data" } ] }, "timeout": "2h0m0s", "workspaces": [ { "emptyDir": {}, "name": "shared-data" } ] }, "status": { "completionTime": "2026-05-11T12:02:10Z", "conditions": [ { "lastTransitionTime": "2026-05-11T12:02:10Z", "message": "the step \"renovate\" in TaskRun \"renovate-05111200-d3d8090a-build\" failed to pull the image \"\". The pod errored with the message: \"Back-off pulling image \"quay.io/konflux-ci/mintmaker-renovate-image:latest\".\"", "reason": "TaskRunImagePullFailed", "status": "False", "type": "Succeeded" } ], "podName": "renovate-05111200-d3d8090a-build-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" } }, "spanContext": { "traceparent": "00-a8bc4b0742dc8e38b72d0aedff691d41-0d240cdf0fd9123c-01" }, "startTime": "2026-05-11T12:00:09Z", "steps": [ { "container": "step-prepare-db", "imageID": "quay.io/konflux-ci/mintmaker-osv-database@sha256:58224f8f1ff2c55a6eace0b5fee5176980777b1e1c6fbec29654a229c7757d2a", "name": "prepare-db", "provenance": {}, "terminated": { "exitCode": 1, "finishedAt": "2026-05-11T12:02:10Z", "message": "Step prepare-db terminated as pod renovate-05111200-d3d8090a-build-pod is terminated", "reason": "TaskRunImagePullFailed", "startedAt": "2026-05-11T12:00:13Z" }, "terminationReason": "TaskRunImagePullFailed" }, { "container": "step-prepare-rpm-cert", "imageID": "registry.access.redhat.com/ubi9@sha256:2323fcffe84ab72fa11b611be567d8a1bc6f83d3ed3a80327b18399258ea9aa6", "name": "prepare-rpm-cert", "provenance": {}, "terminated": { "exitCode": 1, "finishedAt": "2026-05-11T12:02:10Z", "message": "Step prepare-rpm-cert terminated as pod renovate-05111200-d3d8090a-build-pod is terminated", "reason": "TaskRunImagePullFailed", "startedAt": "2026-05-11T12:00:16Z" }, "terminationReason": "TaskRunImagePullFailed" }, { "container": "step-renovate", "name": "renovate", "provenance": {}, "terminated": { "exitCode": 1, "finishedAt": "2026-05-11T12:02:10Z", "message": "Step renovate terminated as pod renovate-05111200-d3d8090a-build-pod is terminated", "reason": "TaskRunImagePullFailed", "startedAt": "2026-05-11T12:00:09Z" }, "terminationReason": "TaskRunImagePullFailed" } ], "taskSpec": { "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/mintmaker-osv-database:latest", "name": "prepare-db", "script": "echo 'Copying OSV database to the shared workspace'; cp -r /data/osv-db /workspace/shared-data", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsNonRoot": true, "runAsUser": 1001120000 } }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "registry.access.redhat.com/ubi9", "name": "prepare-rpm-cert", "script": "[ ! -f \"/etc/renovate/secret/rpm-activationkey\" ] \u0026\u0026 echo 'RPM secret not found. Exiting.' \u0026\u0026 exit 0;echo 'Generating RPM certificate and copying it to shared workspace';KEY_NAME=$(cat /etc/renovate/secret/rpm-activationkey);ORG_ID=$(cat /etc/renovate/secret/rpm-org);subscription-manager register --activationkey=\"$KEY_NAME\" --org=\"$ORG_ID\";mkdir -p /workspace/shared-data/rpm-certs;cp /etc/pki/entitlement/*-key.pem /workspace/shared-data/rpm-certs/key.pem;cp $(find /etc/pki/entitlement -maxdepth 1 -type f -name '*.pem' ! -name '*-key.pem' -print -quit) /workspace/shared-data/rpm-certs/cert.pem", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsUser": 0 } }, { "computeResources": { "limits": { "cpu": "300m", "memory": "3584Mi" }, "requests": { "cpu": "300m", "memory": "3584Mi" } }, "env": [ { "name": "HOME", "value": "/home/renovate" }, { "name": "LOG_LEVEL", "value": "debug" }, { "name": "LOG_FORMAT", "value": "json" }, { "name": "OSV_OFFLINE_DISABLE_DOWNLOAD", "value": "true" }, { "name": "OSV_OFFLINE_ROOT_DIR", "value": "/workspace/shared-data/osv-db" }, { "name": "DNF_VAR_SSL_CLIENT_KEY", "value": "/workspace/shared-data/rpm-certs/key.pem" }, { "name": "DNF_VAR_SSL_CLIENT_CERT", "value": "/workspace/shared-data/rpm-certs/cert.pem" }, { "name": "RENOVATE_X_GITLAB_AUTO_MERGEABLE_CHECK_ATTEMPS", "value": "7" } ], "image": "quay.io/konflux-ci/mintmaker-renovate-image:latest", "name": "renovate", "script": "RENOVATE_TOKEN=$(cat /etc/renovate/secret/renovate-token) RENOVATE_CONFIG_FILE=/etc/renovate/config/config.js LOG_FILE=/workspace/shared-data/renovate-logs.json renovate || true", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsNonRoot": true, "runAsUser": 1001120000 }, "volumeMounts": [ { "mountPath": "/etc/renovate/config", "name": "configmap-renovate-05111200-d3d8090a", "readOnly": true }, { "mountPath": "/etc/renovate/secret", "name": "secret-renovate-05111200-d3d8090a-a89534b8", "readOnly": true }, { "mountPath": "/etc/pki/ca-trust/extracted/pem", "name": "configmap-trusted-ca-6ct58987ht", "readOnly": true } ] } ], "volumes": [ { "configMap": { "defaultMode": 420, "items": [ { "key": "config.js", "path": "config.js" } ], "name": "renovate-05111200-d3d8090a", "optional": false }, "name": "configmap-renovate-05111200-d3d8090a" }, { "name": "secret-renovate-05111200-d3d8090a-a89534b8", "secret": { "defaultMode": 420, "items": [ { "key": "renovate-token", "path": "renovate-token" } ], "optional": false, "secretName": "renovate-05111200-d3d8090a" } }, { "configMap": { "defaultMode": 420, "items": [ { "key": "ca-bundle.crt", "path": "tls-ca-bundle.pem" } ], "name": "trusted-ca-6ct58987ht", "optional": false }, "name": "configmap-trusted-ca-6ct58987ht" } ], "workspaces": [ { "name": "shared-data" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "kueue.konflux-ci.dev/requests-mintmaker": "1", "pipeline.tekton.dev/release": "8d33f2ae87e5a20bce798055da0f3bfb6a08a46d", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "mintmaker/results/cdee91eb-86e7-4a81-80c6-b41cd1a24753/records/ce43f187-1084-4e4c-baaf-3f5b549e44e9", "results.tekton.dev/result": "mintmaker/results/cdee91eb-86e7-4a81-80c6-b41cd1a24753", "results.tekton.dev/stored": "true", "tekton.dev/taskrunSpanContext": "{\"traceparent\":\"00-1e0e9aa6b29572ca3a9ddadcc47b954f-ab2ed73440136b63-01\"}" }, "creationTimestamp": "2026-05-11T12:00:13Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "kueue.x-k8s.io/priority-class": "konflux-dependency-update", "kueue.x-k8s.io/queue-name": "pipelines-queue", "mintmaker.appstudio.redhat.com/application": "build-suite-positive-mc-ygmw", "mintmaker.appstudio.redhat.com/branch": "multi-component-base-qpbqgb", "mintmaker.appstudio.redhat.com/component": "go-component-gwgfsj", "mintmaker.appstudio.redhat.com/git-host": "github.com", "mintmaker.appstudio.redhat.com/git-platform": "github", "mintmaker.appstudio.redhat.com/namespace": "build-e2e-rggz", "mintmaker.appstudio.redhat.com/repo-branch-hash": "731dfe886580", "mintmaker.appstudio.redhat.com/repository": "redhat-appstudio-qe_sample-multi-component", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "renovate-05111200-f11c055f", "tekton.dev/pipelineRun": "renovate-05111200-f11c055f", "tekton.dev/pipelineRunUID": "cdee91eb-86e7-4a81-80c6-b41cd1a24753", "tekton.dev/pipelineTask": "build" }, "name": "renovate-05111200-f11c055f-build", "namespace": "mintmaker", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "renovate-05111200-f11c055f", "uid": "cdee91eb-86e7-4a81-80c6-b41cd1a24753" } ], "resourceVersion": "111213", "uid": "ce43f187-1084-4e4c-baaf-3f5b549e44e9" }, "spec": { "podTemplate": { "nodeSelector": { "konflux-ci.dev/workload": "konflux-tenants" }, "tolerations": [ { "effect": "NoSchedule", "key": "konflux-ci.dev/workload", "operator": "Equal", "value": "konflux-tenants" } ] }, "serviceAccountName": "mintmaker-controller-manager", "taskSpec": { "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/mintmaker-osv-database:latest", "name": "prepare-db", "script": "echo 'Copying OSV database to the shared workspace'; cp -r /data/osv-db /workspace/shared-data", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsNonRoot": true, "runAsUser": 1001120000 } }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "registry.access.redhat.com/ubi9", "name": "prepare-rpm-cert", "script": "[ ! -f \"/etc/renovate/secret/rpm-activationkey\" ] \u0026\u0026 echo 'RPM secret not found. Exiting.' \u0026\u0026 exit 0;echo 'Generating RPM certificate and copying it to shared workspace';KEY_NAME=$(cat /etc/renovate/secret/rpm-activationkey);ORG_ID=$(cat /etc/renovate/secret/rpm-org);subscription-manager register --activationkey=\"$KEY_NAME\" --org=\"$ORG_ID\";mkdir -p /workspace/shared-data/rpm-certs;cp /etc/pki/entitlement/*-key.pem /workspace/shared-data/rpm-certs/key.pem;cp $(find /etc/pki/entitlement -maxdepth 1 -type f -name '*.pem' ! -name '*-key.pem' -print -quit) /workspace/shared-data/rpm-certs/cert.pem", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsUser": 0 } }, { "computeResources": { "limits": { "cpu": "300m", "memory": "3584Mi" }, "requests": { "cpu": "300m", "memory": "3584Mi" } }, "env": [ { "name": "HOME", "value": "/home/renovate" }, { "name": "LOG_LEVEL", "value": "debug" }, { "name": "LOG_FORMAT", "value": "json" }, { "name": "OSV_OFFLINE_DISABLE_DOWNLOAD", "value": "true" }, { "name": "OSV_OFFLINE_ROOT_DIR", "value": "/workspace/shared-data/osv-db" }, { "name": "DNF_VAR_SSL_CLIENT_KEY", "value": "/workspace/shared-data/rpm-certs/key.pem" }, { "name": "DNF_VAR_SSL_CLIENT_CERT", "value": "/workspace/shared-data/rpm-certs/cert.pem" }, { "name": "RENOVATE_X_GITLAB_AUTO_MERGEABLE_CHECK_ATTEMPS", "value": "7" } ], "image": "quay.io/konflux-ci/mintmaker-renovate-image:latest", "name": "renovate", "script": "RENOVATE_TOKEN=$(cat /etc/renovate/secret/renovate-token) RENOVATE_CONFIG_FILE=/etc/renovate/config/config.js LOG_FILE=/workspace/shared-data/renovate-logs.json renovate || true", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsNonRoot": true, "runAsUser": 1001120000 }, "volumeMounts": [ { "mountPath": "/etc/renovate/config", "name": "configmap-renovate-05111200-f11c055f", "readOnly": true }, { "mountPath": "/etc/renovate/secret", "name": "secret-renovate-05111200-f11c055f-2f5d5173", "readOnly": true }, { "mountPath": "/etc/pki/ca-trust/extracted/pem", "name": "configmap-trusted-ca-6ct58987ht", "readOnly": true } ] } ], "volumes": [ { "configMap": { "defaultMode": 420, "items": [ { "key": "config.js", "path": "config.js" } ], "name": "renovate-05111200-f11c055f", "optional": false }, "name": "configmap-renovate-05111200-f11c055f" }, { "name": "secret-renovate-05111200-f11c055f-2f5d5173", "secret": { "defaultMode": 420, "items": [ { "key": "renovate-token", "path": "renovate-token" } ], "optional": false, "secretName": "renovate-05111200-f11c055f" } }, { "configMap": { "defaultMode": 420, "items": [ { "key": "ca-bundle.crt", "path": "tls-ca-bundle.pem" } ], "name": "trusted-ca-6ct58987ht", "optional": false }, "name": "configmap-trusted-ca-6ct58987ht" } ], "workspaces": [ { "name": "shared-data" } ] }, "timeout": "2h0m0s", "workspaces": [ { "emptyDir": {}, "name": "shared-data" } ] }, "status": { "completionTime": "2026-05-11T12:02:04Z", "conditions": [ { "lastTransitionTime": "2026-05-11T12:02:04Z", "message": "the step \"renovate\" in TaskRun \"renovate-05111200-f11c055f-build\" failed to pull the image \"\". The pod errored with the message: \"Back-off pulling image \"quay.io/konflux-ci/mintmaker-renovate-image:latest\".\"", "reason": "TaskRunImagePullFailed", "status": "False", "type": "Succeeded" } ], "podName": "renovate-05111200-f11c055f-build-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "alpha", "enableParamEnum": true, "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" } }, "spanContext": { "traceparent": "00-1e0e9aa6b29572ca3a9ddadcc47b954f-ab2ed73440136b63-01" }, "startTime": "2026-05-11T12:00:13Z", "steps": [ { "container": "step-prepare-db", "imageID": "quay.io/konflux-ci/mintmaker-osv-database@sha256:58224f8f1ff2c55a6eace0b5fee5176980777b1e1c6fbec29654a229c7757d2a", "name": "prepare-db", "provenance": {}, "terminated": { "exitCode": 1, "finishedAt": "2026-05-11T12:02:04Z", "message": "Step prepare-db terminated as pod renovate-05111200-f11c055f-build-pod is terminated", "reason": "TaskRunImagePullFailed", "startedAt": "2026-05-11T12:00:18Z" }, "terminationReason": "TaskRunImagePullFailed" }, { "container": "step-prepare-rpm-cert", "imageID": "registry.access.redhat.com/ubi9@sha256:2323fcffe84ab72fa11b611be567d8a1bc6f83d3ed3a80327b18399258ea9aa6", "name": "prepare-rpm-cert", "provenance": {}, "terminated": { "exitCode": 1, "finishedAt": "2026-05-11T12:02:04Z", "message": "Step prepare-rpm-cert terminated as pod renovate-05111200-f11c055f-build-pod is terminated", "reason": "TaskRunImagePullFailed", "startedAt": "2026-05-11T12:00:24Z" }, "terminationReason": "TaskRunImagePullFailed" }, { "container": "step-renovate", "name": "renovate", "provenance": {}, "terminated": { "exitCode": 1, "finishedAt": "2026-05-11T12:02:04Z", "message": "Step renovate terminated as pod renovate-05111200-f11c055f-build-pod is terminated", "reason": "TaskRunImagePullFailed", "startedAt": "2026-05-11T12:00:13Z" }, "terminationReason": "TaskRunImagePullFailed" } ], "taskSpec": { "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/mintmaker-osv-database:latest", "name": "prepare-db", "script": "echo 'Copying OSV database to the shared workspace'; cp -r /data/osv-db /workspace/shared-data", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsNonRoot": true, "runAsUser": 1001120000 } }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "registry.access.redhat.com/ubi9", "name": "prepare-rpm-cert", "script": "[ ! -f \"/etc/renovate/secret/rpm-activationkey\" ] \u0026\u0026 echo 'RPM secret not found. Exiting.' \u0026\u0026 exit 0;echo 'Generating RPM certificate and copying it to shared workspace';KEY_NAME=$(cat /etc/renovate/secret/rpm-activationkey);ORG_ID=$(cat /etc/renovate/secret/rpm-org);subscription-manager register --activationkey=\"$KEY_NAME\" --org=\"$ORG_ID\";mkdir -p /workspace/shared-data/rpm-certs;cp /etc/pki/entitlement/*-key.pem /workspace/shared-data/rpm-certs/key.pem;cp $(find /etc/pki/entitlement -maxdepth 1 -type f -name '*.pem' ! -name '*-key.pem' -print -quit) /workspace/shared-data/rpm-certs/cert.pem", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsUser": 0 } }, { "computeResources": { "limits": { "cpu": "300m", "memory": "3584Mi" }, "requests": { "cpu": "300m", "memory": "3584Mi" } }, "env": [ { "name": "HOME", "value": "/home/renovate" }, { "name": "LOG_LEVEL", "value": "debug" }, { "name": "LOG_FORMAT", "value": "json" }, { "name": "OSV_OFFLINE_DISABLE_DOWNLOAD", "value": "true" }, { "name": "OSV_OFFLINE_ROOT_DIR", "value": "/workspace/shared-data/osv-db" }, { "name": "DNF_VAR_SSL_CLIENT_KEY", "value": "/workspace/shared-data/rpm-certs/key.pem" }, { "name": "DNF_VAR_SSL_CLIENT_CERT", "value": "/workspace/shared-data/rpm-certs/cert.pem" }, { "name": "RENOVATE_X_GITLAB_AUTO_MERGEABLE_CHECK_ATTEMPS", "value": "7" } ], "image": "quay.io/konflux-ci/mintmaker-renovate-image:latest", "name": "renovate", "script": "RENOVATE_TOKEN=$(cat /etc/renovate/secret/renovate-token) RENOVATE_CONFIG_FILE=/etc/renovate/config/config.js LOG_FILE=/workspace/shared-data/renovate-logs.json renovate || true", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsNonRoot": true, "runAsUser": 1001120000 }, "volumeMounts": [ { "mountPath": "/etc/renovate/config", "name": "configmap-renovate-05111200-f11c055f", "readOnly": true }, { "mountPath": "/etc/renovate/secret", "name": "secret-renovate-05111200-f11c055f-2f5d5173", "readOnly": true }, { "mountPath": "/etc/pki/ca-trust/extracted/pem", "name": "configmap-trusted-ca-6ct58987ht", "readOnly": true } ] } ], "volumes": [ { "configMap": { "defaultMode": 420, "items": [ { "key": "config.js", "path": "config.js" } ], "name": "renovate-05111200-f11c055f", "optional": false }, "name": "configmap-renovate-05111200-f11c055f" }, { "name": "secret-renovate-05111200-f11c055f-2f5d5173", "secret": { "defaultMode": 420, "items": [ { "key": "renovate-token", "path": "renovate-token" } ], "optional": false, "secretName": "renovate-05111200-f11c055f" } }, { "configMap": { "defaultMode": 420, "items": [ { "key": "ca-bundle.crt", "path": "tls-ca-bundle.pem" } ], "name": "trusted-ca-6ct58987ht", "optional": false }, "name": "configmap-trusted-ca-6ct58987ht" } ], "workspaces": [ { "name": "shared-data" } ] } } } ], "kind": "List", "metadata": { "resourceVersion": "" } }