{
    "apiVersion": "v1",
    "items": [
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/commit_sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/pull_request_number": "9615",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gwceig",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90/records/9e99f40b-c753-4c6a-a439-55d7fd525ece",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"872e77c6f45c90fa38541f9be87d74874f2e2314\",\"eventType\":\"pull_request\",\"pull_request-id\":9615}",
                    "results.tekton.dev/result": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:02:10Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRunUID": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "kon0bafa63cc17413b6c487eb4203e464c1-coverity-availability-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                        "uid": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90"
                    }
                ],
                "resourceVersion": "40399",
                "uid": "9e99f40b-c753-4c6a-a439-55d7fd525ece"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:03:02Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:03:02Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "kon0bafa63cc17413b6c487eb4275287932b7c5cf5d1340932c0206a298-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-04T08:03:00+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:02:21Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9813b1d8cae82ad3468e0355a4476066f14413a00f82a714904682f50e8a7272",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:00Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-04T08:03:00+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:00Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/commit_sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/pull_request_number": "9615",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gwceig",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90/records/df752a8d-92fd-4bdf-bcde-546ec0e59a7e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"872e77c6f45c90fa38541f9be87d74874f2e2314\",\"eventType\":\"pull_request\",\"pull_request-id\":9615}",
                    "results.tekton.dev/result": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:02:09Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRunUID": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "kon0bafa63cc17413b6c487eb4203e464c1-deprecated-base-image-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                        "uid": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90"
                    }
                ],
                "resourceVersion": "40087",
                "uid": "df752a8d-92fd-4bdf-bcde-546ec0e59a7e"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:02:54Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:02:54Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "kon0bafa63cc17413b6c487eb4215b8407b99e76a40e67442f1ef94bab9-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314\", \"digests\": [\"sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:02:52+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:02:11Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d9418d5bb174702835942637a9fd58128f754c7e6aad265a7b8ecfd8545541f6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:02:52Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314\\\", \\\"digests\\\": [\\\"sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:02:52+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:02:45Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/commit_sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-keetls",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #9614 from redhat-appstudio-qe/konflux-konflux-test-integration-clone-zc9tx9\n\nkonflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394/records/0f4e4be0-1de7-4e2c-a20c-d75260fea15d",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"c80d5bb854885bc401823536f8f6522dd6b264d9\",\"eventType\":\"push\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T08:00:54Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRunUID": "513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check"
                },
                "name": "kona653a294b0f3826077fb49897bfaa75b-coverity-availability-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                        "uid": "513ee34d-cb48-4b1a-bef6-7684da46b394"
                    }
                ],
                "resourceVersion": "37418",
                "uid": "0f4e4be0-1de7-4e2c-a20c-d75260fea15d"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:01:09Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:01:09Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "kona653a294b0f3826077fb49897562c979d12d387b3d63300d3de6e209-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-04T08:01:08+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:00:56Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9f11a124b883671e0d967470f57abcd725aa4d6ad00ca818320786c2b05bcb2d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:08Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-04T08:01:08+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:08Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/commit_sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-keetls",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #9614 from redhat-appstudio-qe/konflux-konflux-test-integration-clone-zc9tx9\n\nkonflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394/records/2e1ca136-e4df-45ff-9352-26b99edb86ba",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"c80d5bb854885bc401823536f8f6522dd6b264d9\",\"eventType\":\"push\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T08:00:54Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRunUID": "513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check"
                },
                "name": "kona653a294b0f3826077fb49897bfaa75b-deprecated-base-image-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                        "uid": "513ee34d-cb48-4b1a-bef6-7684da46b394"
                    }
                ],
                "resourceVersion": "37331",
                "uid": "2e1ca136-e4df-45ff-9352-26b99edb86ba"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:01:10Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:01:10Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "kona653a294b0f3826077fb4989db6423821c4b2da87d60d826e440d821-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9\", \"digests\": [\"sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:01:09+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:00:54Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://37d3ac55461813207c7846d257f1130a464f79e4bb93c0387cccaa1ee0fcd80b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:09Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9\\\", \\\"digests\\\": [\\\"sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:01:09+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:02Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/commit_sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/pull_request_number": "9614",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bsoabi",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0/records/5ed995f3-faab-413b-a9f5-a72430d340e9",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"eventType\":\"pull_request\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-zc9tx9",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:56:07Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRunUID": "f915efff-0df6-452b-bf5b-519041c75fe0",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "6ecb269281bf9afc8d1f0695fd0b089a25bc6d423daa05b548cf016b0abcba"
                },
                "name": "konbac6a52927a4424d425fece4d4f5f31e-coverity-availability-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                        "uid": "f915efff-0df6-452b-bf5b-519041c75fe0"
                    }
                ],
                "resourceVersion": "31802",
                "uid": "5ed995f3-faab-413b-a9f5-a72430d340e9"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:56:20Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:56:20Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konbac6a52927a4424d425fece4514e6d9cf16b48f27260a53b3b638c35-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-04T07:56:19+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T07:56:09Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b7e4f7c648aea2d7bf93b6b5563f5480977878cfea2a25c2bfd6f6a8d7e3a6d2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:19Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-04T07:56:19+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:19Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/commit_sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/pull_request_number": "9614",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bsoabi",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0/records/94b4b9c4-9509-4fae-967f-dcd824c12ad9",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"eventType\":\"pull_request\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-zc9tx9",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:56:07Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRunUID": "f915efff-0df6-452b-bf5b-519041c75fe0",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "6ecb269281bf9afc8d1f0695fd0b089a25bc6d423daa05b548cf016b0abcba"
                },
                "name": "konbac6a52927a4424d425fece4d4f5f31e-deprecated-base-image-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                        "uid": "f915efff-0df6-452b-bf5b-519041c75fe0"
                    }
                ],
                "resourceVersion": "31670",
                "uid": "94b4b9c4-9509-4fae-967f-dcd824c12ad9"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:56:21Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:56:21Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konbac6a52927a4424d425fece4204dea83ea287725326a371adfd9a7d5-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f\", \"digests\": [\"sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T07:56:21+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T07:56:07Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://cc95f498068a6e8adee07c0800dcf474ab0f0d1fd86eb10e52846da7ddfe21ff",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:21Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f\\\", \\\"digests\\\": [\\\"sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T07:56:21+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:14Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/commit_sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/pull_request_number": "9615",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-90b6842457",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gwceig",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90/records/f676c45e-d92b-4e5f-9b85-365ef68890dd",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"872e77c6f45c90fa38541f9be87d74874f2e2314\",\"eventType\":\"pull_request\",\"pull_request-id\":9615}",
                    "results.tekton.dev/result": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:58:58Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRunUID": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "konflux-t0bafa63cc17413b6c487eb4203e464c1-prefetch-dependencies",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                        "uid": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90"
                    }
                ],
                "resourceVersion": "35823",
                "uid": "f676c45e-d92b-4e5f-9b85-365ef68890dd"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-ffff3c0c72"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-gwceig"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:59:08Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:59:08Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-t0bafa63cc17413b6c414b2dd78bee9eaba04ebf5019bb4cffc-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-04T07:58:58Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5080c028f968ddcfc493915eb9a63e24088fcf6c938d3d2907ae3c4803450f46",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:59:08Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:59:04Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/commit_sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-9439f86e15",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-keetls",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #9614 from redhat-appstudio-qe/konflux-konflux-test-integration-clone-zc9tx9\n\nkonflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394/records/3280aa0b-183d-4f58-9235-664320c3ba09",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"c80d5bb854885bc401823536f8f6522dd6b264d9\",\"eventType\":\"push\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T07:58:22Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRunUID": "513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies"
                },
                "name": "konflux-ta653a294b0f3826077fb49897bfaa75b-prefetch-dependencies",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                        "uid": "513ee34d-cb48-4b1a-bef6-7684da46b394"
                    }
                ],
                "resourceVersion": "35472",
                "uid": "3280aa0b-183d-4f58-9235-664320c3ba09"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-369a7e7202"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-keetls"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:58:35Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:58:35Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-ta653a294b0f38260771b35c69ecce4dc2044ceee7cf46bec69-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-04T07:58:22Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6537783e27855eca3b1f852a5965708a1deff02733c1ecca4112e35898c9ebe4",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:58:34Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:58:27Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/commit_sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/pull_request_number": "9614",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-e05f3b2374",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bsoabi",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0/records/a3898d06-0d86-4f1a-b200-42e966d0cd8d",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"eventType\":\"pull_request\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-zc9tx9",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:53:54Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRunUID": "f915efff-0df6-452b-bf5b-519041c75fe0",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies",
                    "test.appstudio.openshift.io/pr-group-sha": "6ecb269281bf9afc8d1f0695fd0b089a25bc6d423daa05b548cf016b0abcba"
                },
                "name": "konflux-tbac6a52927a4424d425fece4d4f5f31e-prefetch-dependencies",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                        "uid": "f915efff-0df6-452b-bf5b-519041c75fe0"
                    }
                ],
                "resourceVersion": "29931",
                "uid": "a3898d06-0d86-4f1a-b200-42e966d0cd8d"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-be7d8221de"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-bsoabi"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:54:02Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:54:02Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-tbac6a52927a4424d42c4470477273feb2a7e7714bc406ee422-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-04T07:53:54Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://159d3053bec02c5cbb5bab1db554c85493ddadc3725ddee238dc0f3629db7d71",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:54:01Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:53:57Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/commit_sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/pull_request_number": "9615",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gwceig",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90/records/3d618cb9-b994-437c-994b-1886bf58b6d9",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"872e77c6f45c90fa38541f9be87d74874f2e2314\",\"eventType\":\"pull_request\",\"pull_request-id\":9615}",
                    "results.tekton.dev/result": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:02:11Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRunUID": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "konflux-tes0bafa63cc17413b6c487eb4203e464c1-rpms-signature-scan",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                        "uid": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90"
                    }
                ],
                "resourceVersion": "42384",
                "uid": "3d618cb9-b994-437c-994b-1886bf58b6d9"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:03:47Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:03:47Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-tes0bafa63cc17413b60d8ab16a5f5a0b75d79b2a70969ba3d0-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314\", \"digests\": [\"sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 132, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:03:31+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:02:26Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d27500c0a4776a4f1557d7843bd35d4f826d4277627f294f0c3e3543b02ca503",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:30Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:11Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://708bccbbb2ac67c09ce68b86ee2b3236ba828b4f779907b702767fa4927a82dd",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:31Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314\\\", \\\"digests\\\": [\\\"sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 132, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:03:31+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:31Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/commit_sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-keetls",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #9614 from redhat-appstudio-qe/konflux-konflux-test-integration-clone-zc9tx9\n\nkonflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394/records/137d9b77-424b-452e-bc1c-c29b85f9de18",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"c80d5bb854885bc401823536f8f6522dd6b264d9\",\"eventType\":\"push\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T08:00:55Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRunUID": "513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan"
                },
                "name": "konflux-tesa653a294b0f3826077fb49897bfaa75b-rpms-signature-scan",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                        "uid": "513ee34d-cb48-4b1a-bef6-7684da46b394"
                    }
                ],
                "resourceVersion": "37529",
                "uid": "137d9b77-424b-452e-bc1c-c29b85f9de18"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:01:29Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:01:29Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-tesa653a294b0f3826032762e05ab3070c6fe3b1acc614e3bd5-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9\", \"digests\": [\"sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 132, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:01:28+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:00:58Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e1d82f8ae2b6f70b749792f58d9178d0b4d1af2a4e35c1d0bc8c488026ebd4d9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:28Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:10Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ed05976b13df9a9d5f200d27f23ddc40382405cd67a4b8b46b0b6fd0b93e0386",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:29Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9\\\", \\\"digests\\\": [\\\"sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 132, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:01:28+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:28Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/commit_sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/pull_request_number": "9614",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bsoabi",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0/records/6c0de9d2-ce68-4ab8-acaa-f46ccdab4cf8",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"eventType\":\"pull_request\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-zc9tx9",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:56:08Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRunUID": "f915efff-0df6-452b-bf5b-519041c75fe0",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "6ecb269281bf9afc8d1f0695fd0b089a25bc6d423daa05b548cf016b0abcba"
                },
                "name": "konflux-tesbac6a52927a4424d425fece4d4f5f31e-rpms-signature-scan",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                        "uid": "f915efff-0df6-452b-bf5b-519041c75fe0"
                    }
                ],
                "resourceVersion": "33286",
                "uid": "6c0de9d2-ce68-4ab8-acaa-f46ccdab4cf8"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:56:45Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:56:45Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-tesbac6a52927a4424d77c7ef4e2cff85c58ac4a672885bd5a0-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f\", \"digests\": [\"sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 132, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T07:56:41+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T07:56:11Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f1cf80820b917335c5a8acb7d7fc765bd66e656322dcd72338013e9f2b90bd24",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:40Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:22Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://73c9bec4545db86b3baff9cc4d8f6183e3b791f930c91adac9c9acead50751bc",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:41Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f\\\", \\\"digests\\\": [\\\"sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 132, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T07:56:41+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:41Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/commit_sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/pull_request_number": "9615",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gwceig",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90/records/b235c9f0-4b92-4c29-b812-c46775360b3d",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"872e77c6f45c90fa38541f9be87d74874f2e2314\",\"eventType\":\"pull_request\",\"pull_request-id\":9615}",
                    "results.tekton.dev/result": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:01:48Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRunUID": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "konflux-test-0bafa63cc17413b6c487eb4203e464c1-build-image-index",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                        "uid": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90"
                    }
                ],
                "resourceVersion": "39144",
                "uid": "b235c9f0-4b92-4c29-b812-c46775360b3d"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "872e77c6f45c90fa38541f9be87d74874f2e2314"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314@sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:02:08Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:02:08Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-0bafa63cc17413864bfb7c1c161a3bb5af6672a192fb58-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                    }
                ],
                "startTime": "2026-07-04T08:01:48Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7a4e822339f0d9f119fe252cce2072b3d6983cd52eb96800f1a04d6b98d90d4a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:02:00Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:56Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ba6bbdda7eeb048ec77a66317985533b63b38a10c00390380148890168855ae4",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:02:01Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:02:01Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://952f1d48a3aa65686a47cfb4eab83005ce08a8766381efa812917ddd1517ad7c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:02:06Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:02:01Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "872e77c6f45c90fa38541f9be87d74874f2e2314"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314@sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:konflux-test-0bafa63cc17413b6c487eb4203e464c1-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:konflux-test-0bafa63cc17413b6c487eb4203e464c1-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/commit_sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-keetls",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #9614 from redhat-appstudio-qe/konflux-konflux-test-integration-clone-zc9tx9\n\nkonflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394/records/ce5e56b7-3cf3-425e-905c-ea35ba07b546",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"c80d5bb854885bc401823536f8f6522dd6b264d9\",\"eventType\":\"push\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T08:00:42Z",
                "finalizers": [
                    "results.tekton.dev/taskrun",
                    "chains.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRunUID": "513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index"
                },
                "name": "konflux-test-a653a294b0f3826077fb49897bfaa75b-build-image-index",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                        "uid": "513ee34d-cb48-4b1a-bef6-7684da46b394"
                    }
                ],
                "resourceVersion": "37192",
                "uid": "ce5e56b7-3cf3-425e-905c-ea35ba07b546"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "c80d5bb854885bc401823536f8f6522dd6b264d9"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": ""
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9@sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:00:54Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:00:54Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-a653a294b0f382dc385d83c42901ce99642d3f840c6e83-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                    }
                ],
                "startTime": "2026-07-04T08:00:42Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://1fe44e83c3f4b09a79d30905482b5dc3ff3e4040d260f862b713d17e9a6a9993",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:00:49Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:00:47Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://cf2c6d1ef3102c7397c50c66a1cb368c1053ea73a7eac9104390d729a3e45e98",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:00:50Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:00:50Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://faf33f09d9a9a5b654f6973497aaaca9e814ee3853ecbfef0ec04713eccc30c2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:00:53Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:00:50Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "c80d5bb854885bc401823536f8f6522dd6b264d9"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9@sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:konflux-test-a653a294b0f3826077fb49897bfaa75b-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:konflux-test-a653a294b0f3826077fb49897bfaa75b-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/commit_sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/pull_request_number": "9614",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bsoabi",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0/records/3ee8f5ff-cfa3-49a9-8b35-ec84aec21e18",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"eventType\":\"pull_request\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-zc9tx9",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:55:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun",
                    "chains.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRunUID": "f915efff-0df6-452b-bf5b-519041c75fe0",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "6ecb269281bf9afc8d1f0695fd0b089a25bc6d423daa05b548cf016b0abcba"
                },
                "name": "konflux-test-bac6a52927a4424d425fece4d4f5f31e-build-image-index",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                        "uid": "f915efff-0df6-452b-bf5b-519041c75fe0"
                    }
                ],
                "resourceVersion": "31150",
                "uid": "3ee8f5ff-cfa3-49a9-8b35-ec84aec21e18"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "017b4b04f002c56c8886643b5ee0f5de05123b7f"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f@sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:56:07Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:56:07Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-bac6a52927a442edd4903be4c3771e3d51854fcb9cea1f-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                    }
                ],
                "startTime": "2026-07-04T07:55:56Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d3fbb25e483468bdf0b8006f7efc123296134dcd06f3faa50e28da745f173311",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:03Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:01Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://96718950f23b2c8b19651d2328d5dd118efa72cec73637822a1e95e7037cc6dd",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:04Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:04Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://53b2fec75810edfd43ba180643121a1b644bf00052dca01e3c96ce94c19c5890",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:06Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:04Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "017b4b04f002c56c8886643b5ee0f5de05123b7f"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f@sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:konflux-test-bac6a52927a4424d425fece4d4f5f31e-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:konflux-test-bac6a52927a4424d425fece4d4f5f31e-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/commit_sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/pull_request_number": "9615",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-90b6842457",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gwceig",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90/records/411438a9-020d-4f7b-a38c-641b7b264c89",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"872e77c6f45c90fa38541f9be87d74874f2e2314\",\"eventType\":\"pull_request\",\"pull_request-id\":9615}",
                    "results.tekton.dev/result": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:58:46Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRunUID": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "konflux-test-i0bafa63cc17413b6c487eb4203e464c1-clone-repository",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                        "uid": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90"
                    }
                ],
                "resourceVersion": "35782",
                "uid": "411438a9-020d-4f7b-a38c-641b7b264c89"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "revision",
                        "value": "872e77c6f45c90fa38541f9be87d74874f2e2314"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-ffff3c0c72"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-gwceig"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:58:53Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:58:53Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-i0bafa63cc174169af7ba95b8bf4c3a5d290043d133176-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "872e77c6f45c90fa38541f9be87d74874f2e2314"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "872e77c6f45c90fa38541f9be87d74874f2e2314"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1783151863"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "872e77c"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    }
                ],
                "startTime": "2026-07-04T07:58:46Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f33c56d97edefa10e98e8ce42f14e9aff0bab8c711e58094dfa14d515d963185",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:58:52Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"872e77c6f45c90fa38541f9be87d74874f2e2314\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1},{\"key\":\"commit\",\"value\":\"872e77c6f45c90fa38541f9be87d74874f2e2314\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783151863\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"872e77c\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:58:51Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f898629bb616ada540081d43d43a76b742795e3c8f5f57099a56e89f78e7f0ce",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:58:53Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"872e77c6f45c90fa38541f9be87d74874f2e2314\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1},{\"key\":\"commit\",\"value\":\"872e77c6f45c90fa38541f9be87d74874f2e2314\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783151863\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"872e77c\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:58:53Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "872e77c6f45c90fa38541f9be87d74874f2e2314"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/commit_sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/pull_request_number": "9615",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-90b6842457",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gwceig",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90/records/a7d3b86b-590f-4174-8f11-314eb1900325",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"872e77c6f45c90fa38541f9be87d74874f2e2314\",\"eventType\":\"pull_request\",\"pull_request-id\":9615}",
                    "results.tekton.dev/result": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:02:10Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRunUID": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "konflux-test-i0bafa63cc17413b6c487eb4203e464c1-sast-shell-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                        "uid": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90"
                    }
                ],
                "resourceVersion": "42086",
                "uid": "a7d3b86b-590f-4174-8f11-314eb1900325"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-ffff3c0c72"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:03:49Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:03:49Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-i0bafa63cc1741e4a0c606cdb7257899a824ef14d45366-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:03:20+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:02:22Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f9cbea7f8ca53a20f5877511d51bba896a361eabb2b04e943fbd15e188f4e9ac",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:20Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:03:20+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:10Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://77f5853ba87a3b60312f64c12a3fd382bfbd5c887d0a9303e3f2a9a77a4047cf",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:22Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:03:20+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:21Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/commit_sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-9439f86e15",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-keetls",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #9614 from redhat-appstudio-qe/konflux-konflux-test-integration-clone-zc9tx9\n\nkonflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394/records/8614b618-99b7-4b14-b3af-863d4546d88b",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"c80d5bb854885bc401823536f8f6522dd6b264d9\",\"eventType\":\"push\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T07:58:14Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRunUID": "513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone"
                },
                "name": "konflux-test-ia653a294b0f3826077fb49897bfaa75b-clone-repository",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                        "uid": "513ee34d-cb48-4b1a-bef6-7684da46b394"
                    }
                ],
                "resourceVersion": "35355",
                "uid": "8614b618-99b7-4b14-b3af-863d4546d88b"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "revision",
                        "value": "c80d5bb854885bc401823536f8f6522dd6b264d9"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-369a7e7202"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-keetls"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:58:20Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:58:20Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-ia653a294b0f382ffe01307bb7ccc1b3967fabeb58a878-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "c80d5bb854885bc401823536f8f6522dd6b264d9"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "c80d5bb854885bc401823536f8f6522dd6b264d9"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1783151859"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "c80d5bb"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    }
                ],
                "startTime": "2026-07-04T07:58:14Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4a0fe53ca89a9234f0724a81b7e447fd1b04048b39f50ff95a6d1c5e75940ea2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:58:18Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"c80d5bb854885bc401823536f8f6522dd6b264d9\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1},{\"key\":\"commit\",\"value\":\"c80d5bb854885bc401823536f8f6522dd6b264d9\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783151859\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"c80d5bb\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:58:18Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://dd027ba72cb568371db83a906be458e87f445646de6a7a14fd50d94f671b3f4f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:58:19Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"c80d5bb854885bc401823536f8f6522dd6b264d9\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1},{\"key\":\"commit\",\"value\":\"c80d5bb854885bc401823536f8f6522dd6b264d9\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783151859\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"c80d5bb\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:58:19Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "c80d5bb854885bc401823536f8f6522dd6b264d9"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/commit_sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-9439f86e15",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-keetls",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #9614 from redhat-appstudio-qe/konflux-konflux-test-integration-clone-zc9tx9\n\nkonflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394/records/37ae242d-bc81-44b0-bf16-9ca065c591ab",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"c80d5bb854885bc401823536f8f6522dd6b264d9\",\"eventType\":\"push\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T08:00:54Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRunUID": "513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check"
                },
                "name": "konflux-test-ia653a294b0f3826077fb49897bfaa75b-sast-shell-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                        "uid": "513ee34d-cb48-4b1a-bef6-7684da46b394"
                    }
                ],
                "resourceVersion": "37421",
                "uid": "37ae242d-bc81-44b0-bf16-9ca065c591ab"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-369a7e7202"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:01:12Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:01:12Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-ia653a294b0f38abf455b534d9454fec6f841c9ea9d559-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:01:10+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:00:56Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://161ac76c370b53203afe3cd24b77cc8f90be3e2eae17e2271fd526e24defa618",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:10Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:01:10+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:09Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://51e7bce6bb9c59129dffec1961455f6375ae9dfc4ff1a8f9dd204dfa13e1b8e0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:11Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:01:10+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:10Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/commit_sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/pull_request_number": "9614",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-e05f3b2374",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bsoabi",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0/records/942106da-3267-4964-ab07-4906adcb3905",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"eventType\":\"pull_request\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-zc9tx9",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:53:45Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRunUID": "f915efff-0df6-452b-bf5b-519041c75fe0",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "6ecb269281bf9afc8d1f0695fd0b089a25bc6d423daa05b548cf016b0abcba"
                },
                "name": "konflux-test-ibac6a52927a4424d425fece4d4f5f31e-clone-repository",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                        "uid": "f915efff-0df6-452b-bf5b-519041c75fe0"
                    }
                ],
                "resourceVersion": "29683",
                "uid": "942106da-3267-4964-ab07-4906adcb3905"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "revision",
                        "value": "017b4b04f002c56c8886643b5ee0f5de05123b7f"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-be7d8221de"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-bsoabi"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:53:50Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:53:50Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-ibac6a52927a4441400a0390deead9870de60f06dadf7f-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "017b4b04f002c56c8886643b5ee0f5de05123b7f"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "017b4b04f002c56c8886643b5ee0f5de05123b7f"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1783151594"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "017b4b0"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    }
                ],
                "startTime": "2026-07-04T07:53:45Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://940b9488d09c2456a8de2de9da4f974ca4859a2cb0ff77d46347a3cc40450813",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:53:48Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1},{\"key\":\"commit\",\"value\":\"017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783151594\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"017b4b0\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:53:48Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5d24d3f3a5836ce1f325181850b7750b38b3dc535c05cbe3fc934c1a95197748",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:53:49Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1},{\"key\":\"commit\",\"value\":\"017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783151594\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"017b4b0\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:53:49Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "017b4b04f002c56c8886643b5ee0f5de05123b7f"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/commit_sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/pull_request_number": "9614",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-e05f3b2374",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bsoabi",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0/records/d88e09c1-48e5-44c8-9ff4-734624bb107e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"eventType\":\"pull_request\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-zc9tx9",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:56:07Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRunUID": "f915efff-0df6-452b-bf5b-519041c75fe0",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "6ecb269281bf9afc8d1f0695fd0b089a25bc6d423daa05b548cf016b0abcba"
                },
                "name": "konflux-test-ibac6a52927a4424d425fece4d4f5f31e-sast-shell-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                        "uid": "f915efff-0df6-452b-bf5b-519041c75fe0"
                    }
                ],
                "resourceVersion": "31817",
                "uid": "d88e09c1-48e5-44c8-9ff4-734624bb107e"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-be7d8221de"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:56:26Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:56:26Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-ibac6a52927a44c9f1d9a48479822adebb3b55565c88ca-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T07:56:22+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T07:56:09Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://972f09d2d8c7e971375738b7a25788b3d3b75dfa0099f05316136e2b289f977a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:23Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T07:56:22+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:21Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://24a96c097c6be3e962cc5cf6fe21c7b5b560d46eb4b5f462b561261f46efff32",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:24Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T07:56:22+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:23Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/commit_sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/pull_request_number": "9615",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-90b6842457",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gwceig",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90/records/0fafb984-1aab-407e-b7e0-0da12f08816b",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"872e77c6f45c90fa38541f9be87d74874f2e2314\",\"eventType\":\"pull_request\",\"pull_request-id\":9615}",
                    "results.tekton.dev/result": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:59:11Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRunUID": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "konflux-test-in0bafa63cc17413b6c487eb4203e464c1-build-container",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                        "uid": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90"
                    }
                ],
                "resourceVersion": "39003",
                "uid": "0fafb984-1aab-407e-b7e0-0da12f08816b"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "872e77c6f45c90fa38541f9be87d74874f2e2314"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-ffff3c0c72"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:01:46Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:01:46Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-in0bafa63cc17410f053f68c40159750ca8b8528320e12-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314@sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:8dc0e685e560d42ba639206a145b0998a5fc61d128883b08fc8f72889e4e86eb"
                    }
                ],
                "startTime": "2026-07-04T07:59:11Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://cbf11e3b5d9ce87cbfea13b14c39c535b9689e8788700aa14c619b993367ca91",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:00:33Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:59:37Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2f7777c243260953f2e5b954543215174e7477f5062cf7a2a7a7daeb93248297",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:00:45Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314@sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:00:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://49287fd32388dc92b2dee183c1f190436f404eb572aa48f40e021136aff00edb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:00:54Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314@sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:00:45Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://678464af1e4b80e32e0d0503eba66ac6f0df078670e0714482db0bb6497fd66a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:17Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314@sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:00:55Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://729b6cff41bd4af6b9ee1e495bff3634115be9d6ac03e11391191db55733fcc3",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:45Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314@sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:8dc0e685e560d42ba639206a145b0998a5fc61d128883b08fc8f72889e4e86eb\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:18Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "."
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "872e77c6f45c90fa38541f9be87d74874f2e2314"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "konflux-test-in0bafa63cc17413b6c487eb4203e464c1-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/commit_sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/pull_request_number": "9615",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-90b6842457",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gwceig",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90/records/8dd6de3c-42c2-4135-9fe5-3704995100f3",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"872e77c6f45c90fa38541f9be87d74874f2e2314\",\"eventType\":\"pull_request\",\"pull_request-id\":9615}",
                    "results.tekton.dev/result": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:02:11Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRunUID": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "konflux-test-in0bafa63cc17413b6c487eb4203e464c1-push-dockerfile",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                        "uid": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90"
                    }
                ],
                "resourceVersion": "40498",
                "uid": "8dd6de3c-42c2-4135-9fe5-3704995100f3"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-ffff3c0c72"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:03:03Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:03:03Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-in0bafa63cc1748f8fbfb31ba95d03939ffcb42bec2f5e-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:6f836745c08d549acec827e242204c8c2e8de3610af8c26d441f6b175435cf84"
                    }
                ],
                "startTime": "2026-07-04T08:02:24Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b81189135c55e52cc47218f267f068b68c138b865f643f1174a1ebdcaf39f091",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:01Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:6f836745c08d549acec827e242204c8c2e8de3610af8c26d441f6b175435cf84\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:01Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                ".",
                                "--containerfile",
                                "Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314",
                                "--image-digest",
                                "sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/commit_sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/pull_request_number": "9615",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-90b6842457",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gwceig",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90/records/121a0fe0-f26b-4e65-b39b-32e2c7d20d8f",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"872e77c6f45c90fa38541f9be87d74874f2e2314\",\"eventType\":\"pull_request\",\"pull_request-id\":9615}",
                    "results.tekton.dev/result": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:02:10Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRunUID": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "konflux-test-in0bafa63cc17413b6c487eb4203e464c1-sast-snyk-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                        "uid": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90"
                    }
                ],
                "resourceVersion": "41709",
                "uid": "121a0fe0-f26b-4e65-b39b-32e2c7d20d8f"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-ffff3c0c72"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:03:47Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:03:47Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-in0bafa63cc174be354b14798d1f1995c47618ffbe0187-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-04T08:03:20+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:02:15Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e207c80b347be24a1e00393179613216168d862825aedea27e3c91055c53d0cc",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:20Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-04T08:03:20+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:10Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3cbae2e9d640341c0947b9f6eab740954a3a4249e5a724c7ba20f740e471cbb7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:21Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-04T08:03:20+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:21Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/commit_sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-9439f86e15",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-keetls",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #9614 from redhat-appstudio-qe/konflux-konflux-test-integration-clone-zc9tx9\n\nkonflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394/records/66f12e35-55d3-4f86-aa29-cc87d7439def",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"c80d5bb854885bc401823536f8f6522dd6b264d9\",\"eventType\":\"push\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T07:58:40Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRunUID": "513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah"
                },
                "name": "konflux-test-ina653a294b0f3826077fb49897bfaa75b-build-container",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                        "uid": "513ee34d-cb48-4b1a-bef6-7684da46b394"
                    }
                ],
                "resourceVersion": "36475",
                "uid": "66f12e35-55d3-4f86-aa29-cc87d7439def"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": ""
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "c80d5bb854885bc401823536f8f6522dd6b264d9"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-369a7e7202"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:00:42Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:00:42Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-ina653a294b0f30836acf1200c8a8e8f80fc1bc7670111-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9@sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:2dc394ce1d92ed1c534228376ca3ef763073a7f3d4e040875e966c92c50382b8"
                    }
                ],
                "startTime": "2026-07-04T07:58:40Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c6ad263ed73187c9b8df9b42b6c711533c587cb6be046c79f1aeda3a215eb49c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:59:26Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:58:48Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://adce78fcc0f14f2c1ff0739e32cd09ab34690299ad45eeab85c987085c5d8d7c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:59:38Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9@sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:59:26Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://640f1d7b10b1e9dd1b4f583a856ee7fb4a7ad4ac08156a37cf8d0e4eaa7e333e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:59:52Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9@sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:59:38Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://61b5818aff9ec5377ac02d3ac81b3ddabedd694cfc57218b617d4b88790e3967",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:00:13Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9@sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:59:47Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://270b54eb4a4b86e0d3258345d96b1e1679c08452fdc6db7a146bf207ee4c828b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:00:41Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9@sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:2dc394ce1d92ed1c534228376ca3ef763073a7f3d4e040875e966c92c50382b8\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:00:14Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "."
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "c80d5bb854885bc401823536f8f6522dd6b264d9"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "konflux-test-ina653a294b0f3826077fb49897bfaa75b-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/commit_sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-9439f86e15",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-keetls",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #9614 from redhat-appstudio-qe/konflux-konflux-test-integration-clone-zc9tx9\n\nkonflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394/records/1c64c62d-5eb1-4a48-a075-77065f082d6a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"c80d5bb854885bc401823536f8f6522dd6b264d9\",\"eventType\":\"push\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T08:00:54Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRunUID": "513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile"
                },
                "name": "konflux-test-ina653a294b0f3826077fb49897bfaa75b-push-dockerfile",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                        "uid": "513ee34d-cb48-4b1a-bef6-7684da46b394"
                    }
                ],
                "resourceVersion": "37517",
                "uid": "1c64c62d-5eb1-4a48-a075-77065f082d6a"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-369a7e7202"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:01:09Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:01:09Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-ina653a294b0f34f640f66ba543b3ded17f03fe7f55a6b-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:92f27ddd3a364d2b5b28cf137094f409f6e3a3881d99d596008b42eae44ab2b9"
                    }
                ],
                "startTime": "2026-07-04T08:00:57Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://04e6d249b80257c467e52320140929da86aafdd30567527693743b5e74090c25",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:09Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:92f27ddd3a364d2b5b28cf137094f409f6e3a3881d99d596008b42eae44ab2b9\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:08Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                ".",
                                "--containerfile",
                                "Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9",
                                "--image-digest",
                                "sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/commit_sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-9439f86e15",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-keetls",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #9614 from redhat-appstudio-qe/konflux-konflux-test-integration-clone-zc9tx9\n\nkonflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394/records/04a618c5-36d1-429b-9714-722b04f1c37a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"c80d5bb854885bc401823536f8f6522dd6b264d9\",\"eventType\":\"push\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T08:00:54Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRunUID": "513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check"
                },
                "name": "konflux-test-ina653a294b0f3826077fb49897bfaa75b-sast-snyk-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                        "uid": "513ee34d-cb48-4b1a-bef6-7684da46b394"
                    }
                ],
                "resourceVersion": "37357",
                "uid": "04a618c5-36d1-429b-9714-722b04f1c37a"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-369a7e7202"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:01:11Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:01:11Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-ina653a294b0f358b06cce0c7bc5ff7d0db08180bed41a-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-04T08:01:10+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:00:55Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f5b0f2e21bd5febd00fe4cbe37d0c5ad134079d5a236b77da76270cd65ea25f5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:10Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-04T08:01:10+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:09Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e5378e9b36ec056de7dbf08a1c96aee89ebcc15e3f5e8217ff40c0f4bf3e330e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:10Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-04T08:01:10+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:10Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/commit_sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/pull_request_number": "9614",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-e05f3b2374",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bsoabi",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0/records/f2285209-22a9-475a-930e-85305789faff",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"eventType\":\"pull_request\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-zc9tx9",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:54:03Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRunUID": "f915efff-0df6-452b-bf5b-519041c75fe0",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "6ecb269281bf9afc8d1f0695fd0b089a25bc6d423daa05b548cf016b0abcba"
                },
                "name": "konflux-test-inbac6a52927a4424d425fece4d4f5f31e-build-container",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                        "uid": "f915efff-0df6-452b-bf5b-519041c75fe0"
                    }
                ],
                "resourceVersion": "30845",
                "uid": "f2285209-22a9-475a-930e-85305789faff"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "017b4b04f002c56c8886643b5ee0f5de05123b7f"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-be7d8221de"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:55:56Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:55:56Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-inbac6a52927a44b9b455811f577b375e04039fb4c1e88-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f@sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:e1305daec065bf9f30596811ce44e81d04fc3f94b747c67434db1cf4053c1617"
                    }
                ],
                "startTime": "2026-07-04T07:54:04Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://85dd946505727c091f7c0ca08b3e4505482cf8e6d123499215291418811a8480",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:54:44Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:54:10Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5aec5b39a33530f02ff2119b567c811770847f177b88d03e6eeb4b2c648d6ff4",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:55:03Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f@sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:54:44Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b92505401a2d1872cf7a3fd3072c96864789bc6105547abadaa1c9769e89031c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:55:12Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f@sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:55:03Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c44f7bb33556199c7551562a419993cf80e43dd6373eb5a19fd3ef0319559fcc",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:55:29Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f@sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:55:13Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://acc4746c6aa4c1ce0ed54272d18cd9b81bf2e2190aaa3dfeb23aff319d778fbb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:55:55Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f@sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:e1305daec065bf9f30596811ce44e81d04fc3f94b747c67434db1cf4053c1617\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:55:30Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "."
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "017b4b04f002c56c8886643b5ee0f5de05123b7f"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "konflux-test-inbac6a52927a4424d425fece4d4f5f31e-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/commit_sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/pull_request_number": "9614",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-e05f3b2374",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bsoabi",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0/records/41b7eb64-e4a5-408c-b427-22a14b28f747",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"eventType\":\"pull_request\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-zc9tx9",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:56:08Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRunUID": "f915efff-0df6-452b-bf5b-519041c75fe0",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "6ecb269281bf9afc8d1f0695fd0b089a25bc6d423daa05b548cf016b0abcba"
                },
                "name": "konflux-test-inbac6a52927a4424d425fece4d4f5f31e-push-dockerfile",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                        "uid": "f915efff-0df6-452b-bf5b-519041c75fe0"
                    }
                ],
                "resourceVersion": "31922",
                "uid": "41b7eb64-e4a5-408c-b427-22a14b28f747"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-be7d8221de"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:56:25Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:56:25Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-inbac6a52927a428f0cab07ddd159c2cdc1ec3cbbf1fb7-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:e62082fc85958abc0b930a4ba78f277975509ab152585a0f2fd07dd5706680ef"
                    }
                ],
                "startTime": "2026-07-04T07:56:11Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://151628fd4d404c4b15d435a4c1962c231b4347c96f44814e466d654f0699a9a8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:22Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9@sha256:e62082fc85958abc0b930a4ba78f277975509ab152585a0f2fd07dd5706680ef\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:21Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                ".",
                                "--containerfile",
                                "Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f",
                                "--image-digest",
                                "sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/commit_sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/pull_request_number": "9614",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-e05f3b2374",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bsoabi",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0/records/4aa53418-f050-45b1-b78f-c4ee4df09bce",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"eventType\":\"pull_request\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-zc9tx9",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:56:07Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRunUID": "f915efff-0df6-452b-bf5b-519041c75fe0",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "6ecb269281bf9afc8d1f0695fd0b089a25bc6d423daa05b548cf016b0abcba"
                },
                "name": "konflux-test-inbac6a52927a4424d425fece4d4f5f31e-sast-snyk-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                        "uid": "f915efff-0df6-452b-bf5b-519041c75fe0"
                    }
                ],
                "resourceVersion": "31724",
                "uid": "4aa53418-f050-45b1-b78f-c4ee4df09bce"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-be7d8221de"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:56:23Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:56:23Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-inbac6a52927a4e5c822f064c62ed95c7b1a41acf18ce6-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-04T07:56:21+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T07:56:08Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e42ff82330c42706fab02928b748156c85939c927742dc5f35601fde4eafee8f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:21Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-04T07:56:21+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:20Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://cf6ff274518c019cade3c1ae20998786deb3897ac6c4f0d40e0cc126679723bb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:22Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-04T07:56:21+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:22Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/commit_sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/pull_request_number": "9615",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gwceig",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90/records/85edb9cb-407e-44ae-bc9f-e4d26087fbc9",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"872e77c6f45c90fa38541f9be87d74874f2e2314\",\"eventType\":\"pull_request\",\"pull_request-id\":9615}",
                    "results.tekton.dev/result": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:02:10Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRunUID": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "konflux-test-integr0bafa63cc17413b6c487eb4203e464c1-clamav-scan",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                        "uid": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90"
                    }
                ],
                "resourceVersion": "41897",
                "uid": "85edb9cb-407e-44ae-bc9f-e4d26087fbc9"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:03:47Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:03:47Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integr0bafa63c443df22d372e76870ad35dd46c2a09cf-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314\", \"digests\": [\"sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1783152223\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-04T08:02:16Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:c99765a1c1493f281d776f3f589960cb21a344733f36cf7d755479a56edb937b",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://51bd2db6c047fb427ecc0449e9eb82a589cb2aa9d0ce58e7a5db5c13764fea96",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:44Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314\\\", \\\"digests\\\": [\\\"sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783152223\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:04Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6a0ce52d12a6efcac18e893ff492f43b5bbf7793b1de169b310227221fa492ae",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:46Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314\\\", \\\"digests\\\": [\\\"sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783152223\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:44Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/commit_sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/pull_request_number": "9615",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gwceig",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90/records/3562c8e2-efbf-4540-89da-aad5c3cf6315",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"872e77c6f45c90fa38541f9be87d74874f2e2314\",\"eventType\":\"pull_request\",\"pull_request-id\":9615}",
                    "results.tekton.dev/result": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:02:11Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRunUID": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "konflux-test-integra0bafa63cc17413b6c487eb4203e464c1-apply-tags",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                        "uid": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90"
                    }
                ],
                "resourceVersion": "40487",
                "uid": "3562c8e2-efbf-4540-89da-aad5c3cf6315"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:03:01Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:03:01Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integra0bafa63dda9c9b6d06ca5c23ee29d0af4a9bada-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-04T08:02:24Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://23c4e9ff0eb1daf84346af6346aeaf90dd289fc56df382602b3b36695c6d142b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:02:59Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:02:58Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314",
                                "--digest",
                                "sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/commit_sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/pull_request_number": "9615",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gwceig",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90/records/c7c8ba95-7329-4003-bb80-4a7342385c3c",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"872e77c6f45c90fa38541f9be87d74874f2e2314\",\"eventType\":\"pull_request\",\"pull_request-id\":9615}",
                    "results.tekton.dev/result": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:02:09Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRunUID": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "konflux-test-integra0bafa63cc17413b6c487eb4203e464c1-clair-scan",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                        "uid": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90"
                    }
                ],
                "resourceVersion": "41461",
                "uid": "c7c8ba95-7329-4003-bb80-4a7342385c3c"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:03:56Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:03:56Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integra0bafa6356ab236937878ab7b31292993f857101-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314\", \"digests\": [\"sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\":\"sha256:3ce166e002c75c73f3dcb93e211503bb76db41489ab65fed91eeec2e56d7254a\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":147,\"low\":150,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:03:55+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:02:12Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://05a854a728d0efc4bcceb636fff1e20c4f8381ca88ff95ad8d939266c278b4bb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:11Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:07Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7bcb083b3669b9c478d564f6af08fa3a2790ccc951839cbc277ca0931ac71208",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:49Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:11Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://81b1d93a1705b6a9f807c4cc741a936385705be9f1c63d1e498ac07085930756",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:51Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:49Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://98b732d4a3a68567a7e17ebda4e7aff93e7abe37642365f26e4bf4f3636daeca",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:55Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314\\\", \\\"digests\\\": [\\\"sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\\\":\\\"sha256:3ce166e002c75c73f3dcb93e211503bb76db41489ab65fed91eeec2e56d7254a\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":147,\\\"low\\\":150,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:03:55+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:52Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/commit_sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/pull_request_number": "9614",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bsoabi",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0/records/82e74142-cc4f-4e0c-a504-576376f7ee6d",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"eventType\":\"pull_request\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-zc9tx9",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:56:07Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRunUID": "f915efff-0df6-452b-bf5b-519041c75fe0",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "6ecb269281bf9afc8d1f0695fd0b089a25bc6d423daa05b548cf016b0abcba"
                },
                "name": "konflux-test-integrabac6a52927a4424d425fece4d4f5f31e-apply-tags",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                        "uid": "f915efff-0df6-452b-bf5b-519041c75fe0"
                    }
                ],
                "resourceVersion": "31874",
                "uid": "82e74142-cc4f-4e0c-a504-576376f7ee6d"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:56:20Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:56:20Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integrabac6a52d8c89237db54758e4d4df0f0f0b07056-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-04T07:56:10Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://37b13bc78e57e77936a295c982ed8296c61166869c910b63cdd4a332a8a4945b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:20Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:19Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f",
                                "--digest",
                                "sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/commit_sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/pull_request_number": "9614",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bsoabi",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0/records/dbc0ffc7-c41a-4d6c-a788-ffd3541876ba",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"eventType\":\"pull_request\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-zc9tx9",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:56:07Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRunUID": "f915efff-0df6-452b-bf5b-519041c75fe0",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "6ecb269281bf9afc8d1f0695fd0b089a25bc6d423daa05b548cf016b0abcba"
                },
                "name": "konflux-test-integrabac6a52927a4424d425fece4d4f5f31e-clair-scan",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                        "uid": "f915efff-0df6-452b-bf5b-519041c75fe0"
                    }
                ],
                "resourceVersion": "32351",
                "uid": "dbc0ffc7-c41a-4d6c-a788-ffd3541876ba"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:56:47Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:56:47Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integrabac6a52a0684625b081edbdbbfcc23137083c64-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f\", \"digests\": [\"sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\":\"sha256:4272c24dc046fadaeedf1466da6e87e3f657b504cf8dfc9054ab4d4c9f22c2d1\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":147,\"low\":150,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T07:56:43+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T07:56:07Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://40accdc1a9ad25beb673160c88b78169584222f5c5b049d65a7bc7fbc90d74e7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:21Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:17Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://156ad33e0e75cd359019ece1d11109eb4c55cd708b3977e472b55f0e2de164d1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:35Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:22Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://97e3a984cfaff004a2f78cf26aae49c9da9b9aeb5350f47ea3ff17ef418647a2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:38Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:36Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://1bd63a1ece9c7b9d50d1a048f8c223d81f6f932252a9fc219e7e5fd2c74b5698",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:43Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f\\\", \\\"digests\\\": [\\\"sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\\\":\\\"sha256:4272c24dc046fadaeedf1466da6e87e3f657b504cf8dfc9054ab4d4c9f22c2d1\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":147,\\\"low\\\":150,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T07:56:43+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:39Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/commit_sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/pull_request_number": "9615",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gwceig",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90/records/c72ad890-621d-48e7-8601-082fc2feba80",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"872e77c6f45c90fa38541f9be87d74874f2e2314\",\"eventType\":\"pull_request\",\"pull_request-id\":9615}",
                    "results.tekton.dev/result": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:58:36Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRunUID": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "konflux-test-integration-c0bafa63cc17413b6c487eb4203e464c1-init",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                        "uid": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90"
                    }
                ],
                "resourceVersion": "35711",
                "uid": "c72ad890-621d-48e7-8601-082fc2feba80"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:58:41Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:58:41Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integration-c058aa9d5153bb122cb0b69cf4428508bd-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-04T07:58:36Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7a194fae11968a167f9a6e5dd7af92e07396d9efdc190b296d39c3a8a102952e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:58:41Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:58:41Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/commit_sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/pull_request_number": "9614",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bsoabi",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0/records/c5fdfd95-c3ff-4a11-bede-cdc4cc65e8a3",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"eventType\":\"pull_request\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-zc9tx9",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:53:37Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRunUID": "f915efff-0df6-452b-bf5b-519041c75fe0",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "6ecb269281bf9afc8d1f0695fd0b089a25bc6d423daa05b548cf016b0abcba"
                },
                "name": "konflux-test-integration-cbac6a52927a4424d425fece4d4f5f31e-init",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                        "uid": "f915efff-0df6-452b-bf5b-519041c75fe0"
                    }
                ],
                "resourceVersion": "29583",
                "uid": "c5fdfd95-c3ff-4a11-bede-cdc4cc65e8a3"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:53:42Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:53:42Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integration-cbbaabde288f73a63106825c03be71567c-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-04T07:53:38Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://85d95770d071e595072c19e69489bc6265f25585430ebf3f1e1b445bafc29e5a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:53:41Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:53:41Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/commit_sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/pull_request_number": "9615",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gwceig",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90/records/d75aed8d-f6bf-400a-ac6d-b7a75af951b4",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"872e77c6f45c90fa38541f9be87d74874f2e2314\",\"eventType\":\"pull_request\",\"pull_request-id\":9615}",
                    "results.tekton.dev/result": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:02:09Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRunUID": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "konflux-test-integration-clone-16c03a422baf018fd2b6bcb3d2f19785",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                        "uid": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90"
                    }
                ],
                "resourceVersion": "41549",
                "uid": "d75aed8d-f6bf-400a-ac6d-b7a75af951b4"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:03:49Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:03:49Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integration-clf63e4a61f01739c4664ce715b8a14aec-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314\", \"digests\": [\"sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783152223\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-04T08:02:13Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://bbf76af44a84bce569fe32c04498b2797b9fcbcb072e5d3df4138191a094b345",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:19Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:11Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://78764461b5dadf7aa2b4e818041c64f94f12b40bf5de3a8aa068dc9c0619a7de",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:19Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:16Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5ece9cec19defb6ba63cfe117807585df39c0bfcf8ce52ce7cecbcbcd3aa0477",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:19Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:16Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3a8eb2773435243a6a49de1e5c408adfbce19cf55d41c9741f7c3d03ea37b02f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:43Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:17Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314\", \"digests\": [\"sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783152223\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://ad4b383af79a87577d999febd48ff0c4a34580b01f7136c3068f161ffbb749f9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:44Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314\\\", \\\"digests\\\": [\\\"sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783152223\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:43Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783152223\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://3232f73413482331bee3e1d6ee24db6663dd88183d0e65082615443502dce6f0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:45Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783152223\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:45Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/commit_sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-keetls",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #9614 from redhat-appstudio-qe/konflux-konflux-test-integration-clone-zc9tx9\n\nkonflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394/records/9b49064d-7e77-4fc3-9c3a-4bee4001e86b",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"c80d5bb854885bc401823536f8f6522dd6b264d9\",\"eventType\":\"push\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T08:00:54Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRunUID": "513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks"
                },
                "name": "konflux-test-integration-clone-2e272dd1efcb48de87f85d1ae030f644",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                        "uid": "513ee34d-cb48-4b1a-bef6-7684da46b394"
                    }
                ],
                "resourceVersion": "38186",
                "uid": "9b49064d-7e77-4fc3-9c3a-4bee4001e86b"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:01:32Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:01:32Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integration-cl65d950fdc3a089f832bd7c4b2587f619-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9\", \"digests\": [\"sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783152090\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-04T08:00:54Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://66c0ab047eaae8adff8384141d073290950f0a0c12b2ea07a5aca0de5905e000",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:10Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:08Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://22b3f2f5c141e6dfa6eabba0d98307a1a2c9ba6c464bfe57a4c6e4edf5833c8d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:10Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:10Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://74866a70e70104b352ed70540218785e10409d7157984cc48b5f20b4027fee9d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:11Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:11Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b7f2e8e1e95b2ac98b0ef8bce86b4ca029d8f0084d80d98d73efc094bc81516f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:30Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:11Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9\", \"digests\": [\"sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783152090\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://011b6cb88b017cb64e77e3570deef9b4b66eef4ab3f7ccb9015ce77bc4211b2f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:30Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9\\\", \\\"digests\\\": [\\\"sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783152090\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:30Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783152090\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://8cea4deb82986dc0cf59f8b7d5103d1d164db58c3799f928424079c93df8e97b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:31Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783152090\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:31Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/commit_sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/pull_request_number": "9614",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bsoabi",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0/records/116a7b0c-d1a1-43ed-886f-e9dfa56f3143",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"eventType\":\"pull_request\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-zc9tx9",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:56:07Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRunUID": "f915efff-0df6-452b-bf5b-519041c75fe0",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "6ecb269281bf9afc8d1f0695fd0b089a25bc6d423daa05b548cf016b0abcba"
                },
                "name": "konflux-test-integration-clone-b14a3499266b6c0f02c200c7c186436b",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                        "uid": "f915efff-0df6-452b-bf5b-519041c75fe0"
                    }
                ],
                "resourceVersion": "33274",
                "uid": "116a7b0c-d1a1-43ed-886f-e9dfa56f3143"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:56:45Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:56:45Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integration-cl33249d5375d30259c20e9db1102b9f2b-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f\", \"digests\": [\"sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783151801\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-04T07:56:07Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://f1edeb05aecf5c0beff429ec6de0344ba09401e7c9f19adbd879c7652f162ab8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:21Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:20Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://8dafa4f8d6cfa6fe84cf4056a7b0585850cad339b27deb6974874b2341b5d5bd",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:21Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:21Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f37c96993d6d58664dd96024b30b462c8529590e019b07e0d6f82ec521581da6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:22Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:22Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a5c75d102628d77b70475a63afe0dd7197f1f208bcd5b39e64ed664feab0fde2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:41Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:22Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f\", \"digests\": [\"sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783151801\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://4a2b225c2cd266f61a480e6a5ee91cc214674adab7085a87eabb8b6dfa18bb89",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:42Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f\\\", \\\"digests\\\": [\\\"sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783151801\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:41Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783151801\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://1b628d4354789bd319148c14d906b67b4c36d02cda43656929c43ea2a9fb514a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:42Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783151801\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:42Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/commit_sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-keetls",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #9614 from redhat-appstudio-qe/konflux-konflux-test-integration-clone-zc9tx9\n\nkonflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394/records/37c6e5be-1ea3-41eb-80a1-435476b24c72",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"c80d5bb854885bc401823536f8f6522dd6b264d9\",\"eventType\":\"push\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T08:00:54Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRunUID": "513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags"
                },
                "name": "konflux-test-integration-clone-zc9tx9-on-push-4cknj-apply-tags",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                        "uid": "513ee34d-cb48-4b1a-bef6-7684da46b394"
                    }
                ],
                "resourceVersion": "37432",
                "uid": "37c6e5be-1ea3-41eb-80a1-435476b24c72"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:01:07Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:01:07Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integration-cl3f5815f61a99b05ee903985e135120f4-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-04T08:00:57Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://386341742a3c4d49b1c997b8bbf4154b0287b23bb5ad27d6be6d38be90d7b45a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:07Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:06Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9",
                                "--digest",
                                "sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/commit_sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-keetls",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #9614 from redhat-appstudio-qe/konflux-konflux-test-integration-clone-zc9tx9\n\nkonflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394/records/927553db-999e-4262-9eeb-1873c4a175f8",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"c80d5bb854885bc401823536f8f6522dd6b264d9\",\"eventType\":\"push\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T08:00:54Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRunUID": "513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan"
                },
                "name": "konflux-test-integration-clone-zc9tx9-on-push-4cknj-clair-scan",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                        "uid": "513ee34d-cb48-4b1a-bef6-7684da46b394"
                    }
                ],
                "resourceVersion": "38467",
                "uid": "927553db-999e-4262-9eeb-1873c4a175f8"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:01:35Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:01:35Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integration-cle82110c16fc4eb57af04f1eea39d49fa-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9\", \"digests\": [\"sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\":\"sha256:54350c4d2ecc4571a59c730dfdea2e0efa84caeae401c4ad54b52176fce6936d\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":147,\"low\":150,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:01:35+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:00:54Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://46ee5024c405baa9ee888b487c12ceb926f54c352cbfbf2f66af2d45088a3802",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:13Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:09Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c6129d17f170277d084783042a851b70758437e90193e2021b02a4761ca5d41a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:28Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:14Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2962db77609098864de2b8514a6129a6ee33e19ea00d813d8b24aa42c8c21dab",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:31Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:29Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://42aa3761b20985f1d68db89c61d12508eb50f2f7441a3ece54c28a0293f36174",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:35Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9\\\", \\\"digests\\\": [\\\"sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\\\":\\\"sha256:54350c4d2ecc4571a59c730dfdea2e0efa84caeae401c4ad54b52176fce6936d\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":147,\\\"low\\\":150,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:01:35+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:32Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/commit_sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-keetls",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #9614 from redhat-appstudio-qe/konflux-konflux-test-integration-clone-zc9tx9\n\nkonflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394/records/c3979f53-65b6-4e8b-9b06-09bd82706358",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"c80d5bb854885bc401823536f8f6522dd6b264d9\",\"eventType\":\"push\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T08:00:54Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRunUID": "513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan"
                },
                "name": "konflux-test-integration-clone-zc9tx9-on-push-4cknj-clamav-scan",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                        "uid": "513ee34d-cb48-4b1a-bef6-7684da46b394"
                    }
                ],
                "resourceVersion": "38524",
                "uid": "c3979f53-65b6-4e8b-9b06-09bd82706358"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:01:41Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:01:41Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integration-cl83f4c04608c5e30083f9c8c6bc556148-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9\", \"digests\": [\"sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1783152097\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-04T08:00:55Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:c99765a1c1493f281d776f3f589960cb21a344733f36cf7d755479a56edb937b",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7da04b2e0052800604a9bf84e66fff14b793ba55e086ef04d20998209f4726d6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:37Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9\\\", \\\"digests\\\": [\\\"sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783152097\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:08Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c330ccc3f88f9b004b72983c79a8af0df384308f3555f64ef791f28d38424fd8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:39Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9\\\", \\\"digests\\\": [\\\"sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783152097\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:37Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/commit_sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-keetls",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #9614 from redhat-appstudio-qe/konflux-konflux-test-integration-clone-zc9tx9\n\nkonflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394/records/8f51ec65-71a2-4e6c-83ca-5f74d3c338c8",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"c80d5bb854885bc401823536f8f6522dd6b264d9\",\"eventType\":\"push\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T07:58:07Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRunUID": "513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init"
                },
                "name": "konflux-test-integration-clone-zc9tx9-on-push-4cknj-init",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                        "uid": "513ee34d-cb48-4b1a-bef6-7684da46b394"
                    }
                ],
                "resourceVersion": "35210",
                "uid": "8f51ec65-71a2-4e6c-83ca-5f74d3c338c8"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:58:11Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:58:11Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integration-clone-zc9tx9-on-push-4cknj-init-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-04T07:58:07Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://84e079f6f192069cf32973d05c88064c1d7e644be899d066f712152891ff9bbe",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:58:11Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:58:11Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/commit_sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/pull_request_number": "9614",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bsoabi",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0/records/6094d79c-721d-4154-9a42-c5a9ea922047",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"eventType\":\"pull_request\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-zc9tx9",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:56:07Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRunUID": "f915efff-0df6-452b-bf5b-519041c75fe0",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "6ecb269281bf9afc8d1f0695fd0b089a25bc6d423daa05b548cf016b0abcba"
                },
                "name": "konflux-test-integrbac6a52927a4424d425fece4d4f5f31e-clamav-scan",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                        "uid": "f915efff-0df6-452b-bf5b-519041c75fe0"
                    }
                ],
                "resourceVersion": "33511",
                "uid": "6094d79c-721d-4154-9a42-c5a9ea922047"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:56:54Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:56:54Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integrbac6a5293790f5a84d1ea80e92789c49e9ff1028-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f\", \"digests\": [\"sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1783151810\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-04T07:56:08Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:c99765a1c1493f281d776f3f589960cb21a344733f36cf7d755479a56edb937b",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://59cebc75fd487687d28e5016ef1b7cacdcedc8d0e199545454f31b929ad5122c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:50Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f\\\", \\\"digests\\\": [\\\"sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783151810\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:21Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://389b9f85e85d4a647ffefcee53bfdbf35dd6a82ee48ecd96b8d4c372c901bcba",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:53Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f\\\", \\\"digests\\\": [\\\"sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783151810\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:51Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/commit_sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "build.appstudio.redhat.com/pull_request_number": "9615",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-90b6842457",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-gwceig",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90/records/e9c28978-cde3-4cc6-8519-75511e5f31e3",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"872e77c6f45c90fa38541f9be87d74874f2e2314\",\"eventType\":\"pull_request\",\"pull_request-id\":9615}",
                    "results.tekton.dev/result": "group-7qfh/results/a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:02:10Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115825550",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9615",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "872e77c6f45c90fa38541f9be87d74874f2e2314",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                    "tekton.dev/pipelineRunUID": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "konflux-test0bafa63cc17413b6c487eb4203e464c1-sast-unicode-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-pwndx",
                        "uid": "a70fc6f6-d0d9-4c9d-811c-16ba0c319c90"
                    }
                ],
                "resourceVersion": "42255",
                "uid": "e9c28978-cde3-4cc6-8519-75511e5f31e3"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-ffff3c0c72"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:03:49Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:03:49Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test0bafa63cc17413b3c2cd70a4d380445df156139a7c92010-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:03:20+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:02:23Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7989fa3ef840258baadc6808459afe1a8f1abea83559e4f179a15950f3853713",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:21Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:03:20+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:11Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://776fbe994f83ed52a49b05a947d88c1428f6f763759e698bd9755281abfddfee",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:21Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:03:20+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:21Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-872e77c6f45c90fa38541f9be87d74874f2e2314"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:750b4385e159da3c4745dcadbd5bf65ff60a68df1b69a3c7dec267e19a522f4a"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/commit_sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-9439f86e15",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-keetls",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #9614 from redhat-appstudio-qe/konflux-konflux-test-integration-clone-zc9tx9\n\nkonflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394/records/67239dbc-e6f9-4a0d-b966-38430d84d69f",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"c80d5bb854885bc401823536f8f6522dd6b264d9\",\"eventType\":\"push\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T08:00:54Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115822183",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "c80d5bb854885bc401823536f8f6522dd6b264d9",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                    "tekton.dev/pipelineRunUID": "513ee34d-cb48-4b1a-bef6-7684da46b394",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check"
                },
                "name": "konflux-testa653a294b0f3826077fb49897bfaa75b-sast-unicode-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-push-4cknj",
                        "uid": "513ee34d-cb48-4b1a-bef6-7684da46b394"
                    }
                ],
                "resourceVersion": "37428",
                "uid": "67239dbc-e6f9-4a0d-b966-38430d84d69f"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-369a7e7202"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:01:12Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:01:12Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-testa653a294b0f3826b3ce4cc8408ede498959ec0132066af1-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:01:10+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:00:57Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://01a5a4528650f90a6840900b45cf8f1b77ca06b323ed1237be71594bed0dc61b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:10Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:01:10+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:09Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3cda1b568fe327841c9be746f40ab192c75b264d469a34f98de5b15f11327a0b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:11Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:01:10+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:11Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:c80d5bb854885bc401823536f8f6522dd6b264d9"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:8aaed8fc033615190ef107a6a0d04b1038563dcb515387707d7ca7f39a76db67"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/commit_sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "build.appstudio.redhat.com/pull_request_number": "9614",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-e05f3b2374",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bsoabi",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0/records/69264381-8a3b-49c9-92f1-19d49ac0dbf4",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"017b4b04f002c56c8886643b5ee0f5de05123b7f\",\"eventType\":\"pull_request\",\"pull_request-id\":9614}",
                    "results.tekton.dev/result": "group-7qfh/results/f915efff-0df6-452b-bf5b-519041c75fe0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-zc9tx9",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:56:07Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-zc9tx9",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576043",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-zc9tx9-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9614",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-zc9tx9",
                    "pipelinesascode.tekton.dev/sha": "017b4b04f002c56c8886643b5ee0f5de05123b7f",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                    "tekton.dev/pipelineRunUID": "f915efff-0df6-452b-bf5b-519041c75fe0",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "6ecb269281bf9afc8d1f0695fd0b089a25bc6d423daa05b548cf016b0abcba"
                },
                "name": "konflux-testbac6a52927a4424d425fece4d4f5f31e-sast-unicode-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-zc9tx9-on-pull-request-4r4md",
                        "uid": "f915efff-0df6-452b-bf5b-519041c75fe0"
                    }
                ],
                "resourceVersion": "31824",
                "uid": "69264381-8a3b-49c9-92f1-19d49ac0dbf4"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-zc9tx9",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-be7d8221de"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:56:25Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:56:25Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-testbac6a52927a4424576e535e4b2a99e9f3fe298666caa1f4-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T07:56:22+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T07:56:10Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3aaf199bae710cae8cff61a0d9a418a76200bc17475e2523ce78d2eafc865b01",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:22Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T07:56:22+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:21Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://740f4df37e298bae48a94bae9fc0631f5e659353e99ad2a7d933529c237509fd",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:23Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T07:56:22+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:22Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/konflux-test-integration-clone-zc9tx9:on-pr-017b4b04f002c56c8886643b5ee0f5de05123b7f"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b588dacb4715301627d58a5a614be9046cfaff4d905f13e87fb93a735b1130a8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/commit_sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ztjczs",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-mjm46",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa/records/e38c649a-c57d-4c84-ac22-a6b0a05bb226",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:08:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRunUID": "8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "pyt02737ad8264c5db34c8ac2746e7d384c-coverity-availability-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-mjm46",
                        "uid": "8dd65380-6fb8-49a5-bf16-956d36ea5daa"
                    }
                ],
                "resourceVersion": "46230",
                "uid": "e38c649a-c57d-4c84-ac22-a6b0a05bb226"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:09:16Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:09:16Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pyt02737ad8264c5db34c8ac274c04543b7f2bf06fe661ab99fe86a8f5c-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-04T08:09:03+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:08:18Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4c73a391ed2bc1e55c8c576a88173421496914af947879da99b282170313d06f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:09:03Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-04T08:09:03+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:09:03Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/commit_sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ztjczs",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-mjm46",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa/records/56f2d2d0-f7f0-48e2-bbc1-8c4dd5cec579",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:08:15Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRunUID": "8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "pyt02737ad8264c5db34c8ac2746e7d384c-deprecated-base-image-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-mjm46",
                        "uid": "8dd65380-6fb8-49a5-bf16-956d36ea5daa"
                    }
                ],
                "resourceVersion": "46133",
                "uid": "56f2d2d0-f7f0-48e2-bbc1-8c4dd5cec579"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:08:58Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:08:58Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pyt02737ad8264c5db34c8ac2748601f6fdd9103ca9ac112ed4ae12f246-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69\", \"digests\": [\"sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:08:54+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":1,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:08:15Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://eee7723aeeac6ba1a3da0069b11458a0204b0c9e618d9f98ac7cbc7e64c14a9a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:08:54Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69\\\", \\\"digests\\\": [\\\"sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:08:54+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":1,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:08:48Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/commit_sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/pull_request_number": "22785",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dinoci",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-6bjvc",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-o8492g",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa/records/8665ff5e-35f7-445a-ac06-05e170cce22a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"eventType\":\"pull_request\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-o8492g",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:51:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRunUID": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "411c475ea14d939cb2234552c1f08bff23032c9baf20db8754f54833140103"
                },
                "name": "pyt119af4caad3dce868a4e7bbc9c51e6d0-coverity-availability-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-6bjvc",
                        "uid": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa"
                    }
                ],
                "resourceVersion": "27928",
                "uid": "8665ff5e-35f7-445a-ac06-05e170cce22a"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:51:53Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:51:53Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pyt119af4caad3dce868a4e7bbc03d22a8584d62a3a11aeb2a2e2c13542-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-04T07:51:52+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T07:51:43Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://87f88b7e04f617b235956549eb00b7ff235d771ca28360dba209acce23efa6ff",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:51:52Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-04T07:51:52+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:51:52Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/commit_sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/pull_request_number": "22785",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dinoci",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-6bjvc",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-o8492g",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa/records/d34d1d04-978f-4398-8a08-74b6bac4ddbe",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"eventType\":\"pull_request\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-o8492g",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:51:42Z",
                "finalizers": [
                    "results.tekton.dev/taskrun",
                    "chains.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRunUID": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "411c475ea14d939cb2234552c1f08bff23032c9baf20db8754f54833140103"
                },
                "name": "pyt119af4caad3dce868a4e7bbc9c51e6d0-deprecated-base-image-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-6bjvc",
                        "uid": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa"
                    }
                ],
                "resourceVersion": "27905",
                "uid": "d34d1d04-978f-4398-8a08-74b6bac4ddbe"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:51:56Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:51:56Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pyt119af4caad3dce868a4e7bbc5f8fa2bbfbab666281e9baec92c9aaed-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e\", \"digests\": [\"sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T07:51:55+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":1,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T07:51:42Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://170f177c76b572c367179d2b623b11cbed1d9d9d0737cb46eac48b521f39e471",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:51:55Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e\\\", \\\"digests\\\": [\\\"sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T07:51:55+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":1,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:51:49Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/commit_sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-sjqlhk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-push-xhwmr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22785 from redhat-appstudio-qe/konflux-python-component-o8492g\n\nkonflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe/records/6f766d3c-e3f9-469b-a756-ba90ccbb3964",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"eventType\":\"push\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T07:56:41Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRunUID": "ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check"
                },
                "name": "pyta7be1015ecbabf6fee8363cdc2678f23-coverity-availability-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-push-xhwmr",
                        "uid": "ec42af81-ffa5-4a81-96de-6fa12613a8fe"
                    }
                ],
                "resourceVersion": "32940",
                "uid": "6f766d3c-e3f9-469b-a756-ba90ccbb3964"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:56:55Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:56:55Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pyta7be1015ecbabf6fee8363cd98ddbe1065176d6b5828ffa177fb09d3-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-04T07:56:54+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T07:56:43Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3e0bc4462fede1d87eca63b6c7942c7995014c3d761fe8daa7d2f4e456610a9c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:54Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-04T07:56:54+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:54Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/commit_sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-sjqlhk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-push-xhwmr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22785 from redhat-appstudio-qe/konflux-python-component-o8492g\n\nkonflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe/records/15fe16fb-2039-40d6-8bf7-77d74da0da9b",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"eventType\":\"push\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T07:56:41Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRunUID": "ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check"
                },
                "name": "pyta7be1015ecbabf6fee8363cdc2678f23-deprecated-base-image-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-push-xhwmr",
                        "uid": "ec42af81-ffa5-4a81-96de-6fa12613a8fe"
                    }
                ],
                "resourceVersion": "32698",
                "uid": "15fe16fb-2039-40d6-8bf7-77d74da0da9b"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:56:56Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:56:56Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pyta7be1015ecbabf6fee8363cdbda6fae4c8cc63cca85a00f391e71196-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba\", \"digests\": [\"sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T07:56:56+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":1,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T07:56:41Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6f56d241328ef637b7ccbba423f4186ac339910a33ebc78127390462b2e010af",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:56Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba\\\", \\\"digests\\\": [\\\"sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T07:56:56+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":1,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:49Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/commit_sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-pvrvgp",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-s94lj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768/records/86c034f6-78cd-4b06-b15a-d0117966514f",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-to3mhk-on-pull-request-66fm6 is running for component go-component-to3mhk, waiting for it to create a new group Snapshot for PR group pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:02:09Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRunUID": "a8a9ec97-f287-45e5-8b99-a20541595768",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "pytb5a51f44c4f1712cb90baa0a17325326-coverity-availability-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-s94lj",
                        "uid": "a8a9ec97-f287-45e5-8b99-a20541595768"
                    }
                ],
                "resourceVersion": "40288",
                "uid": "86c034f6-78cd-4b06-b15a-d0117966514f"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:02:59Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:02:59Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pytb5a51f44c4f1712cb90baa0a73135cbc5859654ee6d3d1f912242f15-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-04T08:02:57+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:02:13Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c295865a190489a4feb39768b6f6c3aed83b2df536b29ce4f94ad87f1e788007",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:02:57Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-04T08:02:57+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:02:57Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/commit_sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-pvrvgp",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-s94lj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768/records/62e2ab0a-7a02-475f-9766-23adaa488efd",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-to3mhk-on-pull-request-66fm6 is running for component go-component-to3mhk, waiting for it to create a new group Snapshot for PR group pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:02:08Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRunUID": "a8a9ec97-f287-45e5-8b99-a20541595768",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "pytb5a51f44c4f1712cb90baa0a17325326-deprecated-base-image-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-s94lj",
                        "uid": "a8a9ec97-f287-45e5-8b99-a20541595768"
                    }
                ],
                "resourceVersion": "39855",
                "uid": "62e2ab0a-7a02-475f-9766-23adaa488efd"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:02:42Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:02:42Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pytb5a51f44c4f1712cb90baa0ac1417dded245fd21e6a9ef50d767100b-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\", \"digests\": [\"sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:02:40+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":1,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:02:08Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a83f463a9043640ab65f8fb37126665f57c440e74c4fcfc30e82dfecb39ba1b8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:02:41Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\\\", \\\"digests\\\": [\\\"sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:02:40+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":1,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:02:34Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/commit_sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-ba96da86bf",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ztjczs",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-mjm46",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa/records/8d2ecde5-7c03-4d77-9109-b6940e746f71",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:05:24Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRunUID": "8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-co02737ad8264c5db34c8ac2746e7d384c-prefetch-dependencies",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-mjm46",
                        "uid": "8dd65380-6fb8-49a5-bf16-956d36ea5daa"
                    }
                ],
                "resourceVersion": "43599",
                "uid": "8d2ecde5-7c03-4d77-9109-b6940e746f71"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b7ea37f353"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-ztjczs"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:05:32Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:05:32Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-co02737ad8264c5db34c16b5e30709deddc2bc0a8b3bfc836e64-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-04T08:05:24Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://32891228014d64c2bd1342ff6cf34145fd61e0d4ffda3acaaf71ec7ac3b850e1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:05:31Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:05:27Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/commit_sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/pull_request_number": "22785",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5c40347759",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dinoci",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-6bjvc",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-o8492g",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa/records/dd1bcd00-e0be-46f8-a093-d11c4d8fd092",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"eventType\":\"pull_request\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-o8492g",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:49:08Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRunUID": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies",
                    "test.appstudio.openshift.io/pr-group-sha": "411c475ea14d939cb2234552c1f08bff23032c9baf20db8754f54833140103"
                },
                "name": "python-co119af4caad3dce868a4e7bbc9c51e6d0-prefetch-dependencies",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-6bjvc",
                        "uid": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa"
                    }
                ],
                "resourceVersion": "25981",
                "uid": "dd1bcd00-e0be-46f8-a093-d11c4d8fd092"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b231cf8179"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-dinoci"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:49:18Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:49:18Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-co119af4caad3dce868aee145a801de85642ed814e6c8a7beb5a-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-04T07:49:08Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://1f9765cc7d5e28a72713dabc86af87231d48efefbccb62e1cfb396cdd05290d1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:49:17Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:49:13Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/commit_sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-a9bb251948",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-pvrvgp",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-s94lj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768/records/5fd29c24-488a-4eee-b33c-0ac67d40834e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-to3mhk-on-pull-request-66fm6 is running for component go-component-to3mhk, waiting for it to create a new group Snapshot for PR group pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:58:47Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRunUID": "a8a9ec97-f287-45e5-8b99-a20541595768",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-cob5a51f44c4f1712cb90baa0a17325326-prefetch-dependencies",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-s94lj",
                        "uid": "a8a9ec97-f287-45e5-8b99-a20541595768"
                    }
                ],
                "resourceVersion": "35781",
                "uid": "5fd29c24-488a-4eee-b33c-0ac67d40834e"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-afda626e43"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-pvrvgp"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:58:55Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:58:55Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-cob5a51f44c4f1712cb9214cb93cb59978018d8d1d0b8863c0a1-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-04T07:58:48Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7420da8b9ae066acd451612be1b11e6446e4b27ff9d949dc6c0ad6c8d79a43dd",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:58:55Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:58:50Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/commit_sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ztjczs",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-mjm46",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa/records/8e64119c-9b3b-4cc7-aa06-62a089527003",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:08:17Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRunUID": "8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-comp02737ad8264c5db34c8ac2746e7d384c-rpms-signature-scan",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-mjm46",
                        "uid": "8dd65380-6fb8-49a5-bf16-956d36ea5daa"
                    }
                ],
                "resourceVersion": "48065",
                "uid": "8e64119c-9b3b-4cc7-aa06-62a089527003"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:10:05Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:10:05Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-comp02737ad8264c5db332d4ec8944f563275d2ae1dd2d74d019-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69\", \"digests\": [\"sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 467, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:10:04+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:08:22Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c38fe5031f4e9dd2dcd96965751a17aa1c901dd0014879356876c62dc5322fc1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:10:03Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:09:20Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9d585500032cff07719e5d99fd45e0d1591cdc44dabe356c055f05af33c06de9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:10:05Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69\\\", \\\"digests\\\": [\\\"sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 467, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:10:04+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:10:04Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/commit_sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/pull_request_number": "22785",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dinoci",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-6bjvc",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-o8492g",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa/records/acad190a-6c4a-45fd-abd2-aa8b2bb89ba1",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"eventType\":\"pull_request\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-o8492g",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:51:43Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRunUID": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "411c475ea14d939cb2234552c1f08bff23032c9baf20db8754f54833140103"
                },
                "name": "python-comp119af4caad3dce868a4e7bbc9c51e6d0-rpms-signature-scan",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-6bjvc",
                        "uid": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa"
                    }
                ],
                "resourceVersion": "28189",
                "uid": "acad190a-6c4a-45fd-abd2-aa8b2bb89ba1"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:52:39Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:52:39Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-comp119af4caad3dce86d11f150433b8250b8ccbf6b26dc9f298-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e\", \"digests\": [\"sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 467, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T07:52:38+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T07:51:46Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://00aeb23c602533ddd264d694e96647cfc2388577161a017600e0ff00454fe2fc",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:52:37Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:51:56Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://15489020a0e9bf671f49a8a1f3043c542f244ad00097bdbd65ca11ca79f4c4f8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:52:39Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e\\\", \\\"digests\\\": [\\\"sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 467, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T07:52:38+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:52:38Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/commit_sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-pvrvgp",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-s94lj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768/records/0a0c822e-a857-4732-be8e-0030fbcbc6e5",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-to3mhk-on-pull-request-66fm6 is running for component go-component-to3mhk, waiting for it to create a new group Snapshot for PR group pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:02:10Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRunUID": "a8a9ec97-f287-45e5-8b99-a20541595768",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-compb5a51f44c4f1712cb90baa0a17325326-rpms-signature-scan",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-s94lj",
                        "uid": "a8a9ec97-f287-45e5-8b99-a20541595768"
                    }
                ],
                "resourceVersion": "42088",
                "uid": "0a0c822e-a857-4732-be8e-0030fbcbc6e5"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:03:54Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:03:54Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-compb5a51f44c4f1712c41c1aa5493a60574c9c8e114213701b2-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\", \"digests\": [\"sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 467, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:03:53+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:02:23Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://83819889eb9c29a80f0e2a686371522991f4a083d255a6eb6051ae5063138195",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:52Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:08Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ca46368037272670477b10818fd99d7fec97c2aff0448873364f8fba24dfc626",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:53Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\\\", \\\"digests\\\": [\\\"sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 467, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:03:53+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:52Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/commit_sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-ba96da86bf",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ztjczs",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-mjm46",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa/records/853e70be-fe72-4bdc-a51a-e62da4eef4be",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:08:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRunUID": "8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-compo02737ad8264c5db34c8ac2746e7d384c-sast-unicode-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-mjm46",
                        "uid": "8dd65380-6fb8-49a5-bf16-956d36ea5daa"
                    }
                ],
                "resourceVersion": "46829",
                "uid": "853e70be-fe72-4bdc-a51a-e62da4eef4be"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b7ea37f353"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:09:34Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:09:34Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-compo02737ad8264c5db5ef3bd8e5f5655c275579b5e68e95e2a-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:09:31+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:08:19Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://758891662c7fc41eadd02100c32cba0e00d04b33958a42d7a2dc9ec072cabbd4",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:09:31Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:09:31+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:09:30Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://930c18931f28b7a08d7696eb3ca95b870c773a7910762be7810236c2b69fff31",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:09:33Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:09:31+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:09:31Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/commit_sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/pull_request_number": "22785",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5c40347759",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dinoci",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-6bjvc",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-o8492g",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa/records/35ffe02f-01cd-44aa-becc-c7363f1bb982",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"eventType\":\"pull_request\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-o8492g",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:51:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRunUID": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "411c475ea14d939cb2234552c1f08bff23032c9baf20db8754f54833140103"
                },
                "name": "python-compo119af4caad3dce868a4e7bbc9c51e6d0-sast-unicode-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-6bjvc",
                        "uid": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa"
                    }
                ],
                "resourceVersion": "27940",
                "uid": "35ffe02f-01cd-44aa-becc-c7363f1bb982"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b231cf8179"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:51:57Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:51:57Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-compo119af4caad3dce82cf52cc7a025542a7d791ddc02559677-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T07:51:55+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T07:51:44Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5c389bbedef5197d5bdda259f0055d91196aca282bab165f4b0c4acbc81b1e98",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:51:55Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T07:51:55+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:51:54Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c1a2e844ffc7a2d3f58e54421562efe6814519dba75a91cc525eda627399276c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:51:57Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T07:51:55+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:51:56Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/commit_sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-a9bb251948",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-pvrvgp",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-s94lj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768/records/c7ca053b-3711-40fb-a78b-497d12071a9c",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-to3mhk-on-pull-request-66fm6 is running for component go-component-to3mhk, waiting for it to create a new group Snapshot for PR group pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:02:10Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRunUID": "a8a9ec97-f287-45e5-8b99-a20541595768",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-compob5a51f44c4f1712cb90baa0a17325326-sast-unicode-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-s94lj",
                        "uid": "a8a9ec97-f287-45e5-8b99-a20541595768"
                    }
                ],
                "resourceVersion": "41708",
                "uid": "c7ca053b-3711-40fb-a78b-497d12071a9c"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-afda626e43"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:03:44Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:03:44Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-compob5a51f44c4f171240fbbb1c0fe7b3c1a21c14880ae0d2e5-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:03:11+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:02:16Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://15935e690bede06520f004d66ab208624650ef90c430e255bd1bca43295f14e0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:11Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:03:11+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:09Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://68f697264d30bc34fbf95574cb1bba8fd3a727a2f16f02bef34dcb257c41045d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:15Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:03:11+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:11Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/commit_sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/pull_request_number": "22785",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dinoci",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-6bjvc",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-o8492g",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa/records/79e8b32b-e595-4ade-a5b1-93d3b1183763",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"eventType\":\"pull_request\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-o8492g",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:51:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRunUID": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "411c475ea14d939cb2234552c1f08bff23032c9baf20db8754f54833140103"
                },
                "name": "python-component-o8492g-on-pull-request-6bjvc-apply-tags",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-6bjvc",
                        "uid": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa"
                    }
                ],
                "resourceVersion": "27944",
                "uid": "79e8b32b-e595-4ade-a5b1-93d3b1183763"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:51:54Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:51:54Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-pull-request-6bjvc-apply-tags-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-04T07:51:45Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://22e586bc9624618f731d3bc96e3bc8ff98e33d76a15745abb7ba80ce6e5dcbc7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:51:53Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:51:52Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                                "--digest",
                                "sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/commit_sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/pull_request_number": "22785",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5c40347759",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dinoci",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-6bjvc",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-o8492g",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa/records/2edc8a4d-e5f1-4066-859b-1755222cdd8f",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"eventType\":\"pull_request\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-o8492g",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:49:18Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRunUID": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "411c475ea14d939cb2234552c1f08bff23032c9baf20db8754f54833140103"
                },
                "name": "python-component-o8492g-on-pull-request-6bjvc-build-container",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-6bjvc",
                        "uid": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa"
                    }
                ],
                "resourceVersion": "27030",
                "uid": "2edc8a4d-e5f1-4066-859b-1755222cdd8f"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b231cf8179"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:51:31Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:51:31Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-702035eba900084857f90b80d52132ca-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e@sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:cc83133976e32c5e06a90795770afe800ea89900fb10693e9f52b21fcbbf4496"
                    }
                ],
                "startTime": "2026-07-04T07:49:18Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://26573992f99ef019c96a0bb2011e22d2143adedd4e61311b414561e920f006c1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:49:46Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:49:25Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://390c1eaddfc2bcfa8d3769977f3bdcb052e412ea79c01a040f3a3506a7dd72ca",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:50:21Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e@sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:49:46Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d0471f261d5139c298a7875249ff9d4f0a467a2c0155c0d52370b0a1763495dc",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:50:43Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e@sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:50:21Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://948f876489f91acbebe6b85f1b55467f916f594ab111702ebb30775d8e4d43b6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:51:04Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e@sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:50:43Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3b9f8c14d9cbc43628e5236b9510a6ad2d66f8447cdffe068782cd061dbbc235",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:51:30Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e@sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:cc83133976e32c5e06a90795770afe800ea89900fb10693e9f52b21fcbbf4496\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:51:04Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "python-component"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "docker/Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "python-component-o8492g-on-pull-request-6bjvc-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/commit_sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/pull_request_number": "22785",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dinoci",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-6bjvc",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-o8492g",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa/records/0a303802-be22-40ef-822a-1f0c37ab2bb8",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"eventType\":\"pull_request\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-o8492g",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:51:31Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRunUID": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "411c475ea14d939cb2234552c1f08bff23032c9baf20db8754f54833140103"
                },
                "name": "python-component-o8492g-on-pull-request-6bjvc-build-image-index",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-6bjvc",
                        "uid": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa"
                    }
                ],
                "resourceVersion": "27371",
                "uid": "0a303802-be22-40ef-822a-1f0c37ab2bb8"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e@sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:51:42Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:51:42Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-d24dc47df554cd5ca9e2d5b08892672a-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                    }
                ],
                "startTime": "2026-07-04T07:51:31Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://98e10c54d71d4a0f49c4cd8717c9d1e5ea5f1290f4ac7326a727fe2a20a82f6b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:51:38Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:51:36Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6090b94cd093ed1cceed97bcb546248daa5aba4569a5b3ab81721beae36da585",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:51:39Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:51:39Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://abf5601261ad1fc9ae86ed6105720b349ea3dffc466362d118a48bd48cded813",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:51:41Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:51:39Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e@sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:python-component-o8492g-on-pull-request-6bjvc-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:python-component-o8492g-on-pull-request-6bjvc-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/commit_sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/pull_request_number": "22785",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dinoci",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-6bjvc",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-o8492g",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa/records/1a2bb178-1db1-42c6-86b5-8e6e3cf67f2e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"eventType\":\"pull_request\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-o8492g",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:51:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRunUID": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "411c475ea14d939cb2234552c1f08bff23032c9baf20db8754f54833140103"
                },
                "name": "python-component-o8492g-on-pull-request-6bjvc-clair-scan",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-6bjvc",
                        "uid": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa"
                    }
                ],
                "resourceVersion": "28417",
                "uid": "1a2bb178-1db1-42c6-86b5-8e6e3cf67f2e"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:52:54Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:52:54Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-pull-request-6bjvc-clair-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e\", \"digests\": [\"sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\":\"sha256:23a3ee166f15f05ddf5f139e00963bcbbc852ab5bb79f18851a59bc8c9c37d5e\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":331,\"medium\":873,\"low\":241,\"unknown\":2},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":4,\"medium\":489,\"low\":633,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T07:52:53+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T07:51:42Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://81dab4a093370e59d915ba295d57608402930524a544b34e24b478e080b72d65",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:51:58Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:51:54Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://93fd4e86c975e1a4c0f02b8d1e6ffd0a84513d3eaac8586cf0b030d8748d7683",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:52:25Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:51:58Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a088afe6fb3004d82e7494c7e7e58757dc56b0cd413dc4391935d4fb3da57ce5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:52:28Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:52:26Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e1e6f03e228a9da79ce2ce552cf9ab750c66a27569524876ee67893670e06b02",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:52:54Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e\\\", \\\"digests\\\": [\\\"sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\\\":\\\"sha256:23a3ee166f15f05ddf5f139e00963bcbbc852ab5bb79f18851a59bc8c9c37d5e\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":331,\\\"medium\\\":873,\\\"low\\\":241,\\\"unknown\\\":2},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":4,\\\"medium\\\":489,\\\"low\\\":633,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T07:52:53+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:52:29Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/commit_sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/pull_request_number": "22785",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dinoci",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-6bjvc",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-o8492g",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa/records/52c9e3d4-9587-4d69-9435-65298063213f",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"eventType\":\"pull_request\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-o8492g",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:51:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRunUID": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "411c475ea14d939cb2234552c1f08bff23032c9baf20db8754f54833140103"
                },
                "name": "python-component-o8492g-on-pull-request-6bjvc-clamav-scan",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-6bjvc",
                        "uid": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa"
                    }
                ],
                "resourceVersion": "28269",
                "uid": "52c9e3d4-9587-4d69-9435-65298063213f"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:52:44Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:52:44Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-pull-request-6bjvc-clamav-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e\", \"digests\": [\"sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1783151561\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-04T07:51:43Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:c99765a1c1493f281d776f3f589960cb21a344733f36cf7d755479a56edb937b",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://708ab7cb412d4a82d8ef64cbd49d6545436f2df854f7e16879eb3bec4cd3bef6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:52:42Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e\\\", \\\"digests\\\": [\\\"sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783151561\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:51:53Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8071ade0764dad9515ab7d356651a0a228cc420fcf49e909e072c0c6ca241369",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:52:44Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e\\\", \\\"digests\\\": [\\\"sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783151561\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:52:42Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/commit_sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/pull_request_number": "22785",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5c40347759",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dinoci",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-6bjvc",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-o8492g",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa/records/a84521cd-3688-4bf6-bedd-e3c20341d99a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"eventType\":\"pull_request\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-o8492g",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:49:01Z",
                "finalizers": [
                    "results.tekton.dev/taskrun",
                    "chains.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRunUID": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "411c475ea14d939cb2234552c1f08bff23032c9baf20db8754f54833140103"
                },
                "name": "python-component-o8492g-on-pull-request-6bjvc-clone-repository",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-6bjvc",
                        "uid": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa"
                    }
                ],
                "resourceVersion": "25848",
                "uid": "a84521cd-3688-4bf6-bedd-e3c20341d99a"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "revision",
                        "value": "6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b231cf8179"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-dinoci"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:49:08Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:49:08Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-3049b01d02a9997ff776ba464819c73f-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1783151322"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "6a0621b"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    }
                ],
                "startTime": "2026-07-04T07:49:01Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://0fc71ad05addde744b4c5e0c07f1a2b7d8d7e1b4abd72a8357982339491b6e1f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:49:06Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783151322\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"6a0621b\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:49:06Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c117498b3438f55fab6cb937ba6f15c6759ed9f1ac39f632979a76dd6de0abf2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:49:07Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783151322\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"6a0621b\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:49:07Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/commit_sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/pull_request_number": "22785",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dinoci",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-6bjvc",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-o8492g",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa/records/4c8bad63-d15b-4fc0-9def-2d7af114e676",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"eventType\":\"pull_request\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-o8492g",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:48:56Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRunUID": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "411c475ea14d939cb2234552c1f08bff23032c9baf20db8754f54833140103"
                },
                "name": "python-component-o8492g-on-pull-request-6bjvc-init",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-6bjvc",
                        "uid": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa"
                    }
                ],
                "resourceVersion": "25697",
                "uid": "4c8bad63-d15b-4fc0-9def-2d7af114e676"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:49:00Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:49:00Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-pull-request-6bjvc-init-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-04T07:48:56Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://62121303246db8ff541b23661d8f39d804259c298f056ecb9a0afecfacb2c5d3",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:49:00Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:48:59Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/commit_sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/pull_request_number": "22785",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5c40347759",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dinoci",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-6bjvc",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-o8492g",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa/records/6c67bb3a-ffcc-4130-8a4b-3d161e9ec0a8",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"eventType\":\"pull_request\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-o8492g",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:51:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRunUID": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "411c475ea14d939cb2234552c1f08bff23032c9baf20db8754f54833140103"
                },
                "name": "python-component-o8492g-on-pull-request-6bjvc-push-dockerfile",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-6bjvc",
                        "uid": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa"
                    }
                ],
                "resourceVersion": "28000",
                "uid": "6c67bb3a-ffcc-4130-8a4b-3d161e9ec0a8"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b231cf8179"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:51:57Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:51:57Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-1a5f30d84f2f8466310f841ab7a03164-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:51d17625a159a61f4ceb0f3a07105fb81de6f36a7d5a87caaa5837f63a481189"
                    }
                ],
                "startTime": "2026-07-04T07:51:45Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a0376d9dbf1a0a1aa067bd6d9e1c7d67fbf891b99036890b992e2b5e6eb6d42e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:51:56Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:51d17625a159a61f4ceb0f3a07105fb81de6f36a7d5a87caaa5837f63a481189\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:51:55Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                "python-component",
                                "--containerfile",
                                "docker/Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                                "--image-digest",
                                "sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/commit_sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/pull_request_number": "22785",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5c40347759",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dinoci",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-6bjvc",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-o8492g",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa/records/a2838ae1-9c43-4a53-a44d-5b590618bf62",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"eventType\":\"pull_request\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-o8492g",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:51:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRunUID": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "411c475ea14d939cb2234552c1f08bff23032c9baf20db8754f54833140103"
                },
                "name": "python-component-o8492g-on-pull-request-6bjvc-sast-shell-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-6bjvc",
                        "uid": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa"
                    }
                ],
                "resourceVersion": "27930",
                "uid": "a2838ae1-9c43-4a53-a44d-5b590618bf62"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b231cf8179"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:51:57Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:51:57Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-0b925958ff934b95b9e6fe594ff54569-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T07:51:55+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T07:51:44Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://86cf2a21d1a862109709d37c4349fa143dedfe0dd70f918a010c5e5abaaa469b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:51:55Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T07:51:55+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:51:54Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://dfb4d76234db8df02f3c4724ba5b345819db55d2f5c94d6b4ab5ebb937a5caa0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:51:57Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T07:51:55+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:51:56Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/commit_sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/pull_request_number": "22785",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5c40347759",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dinoci",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-6bjvc",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-o8492g",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa/records/7a6d640a-0d5b-447a-a5eb-a3e4e513b167",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"eventType\":\"pull_request\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-o8492g",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:51:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRunUID": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "411c475ea14d939cb2234552c1f08bff23032c9baf20db8754f54833140103"
                },
                "name": "python-component-o8492g-on-pull-request-6bjvc-sast-snyk-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-6bjvc",
                        "uid": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa"
                    }
                ],
                "resourceVersion": "27914",
                "uid": "7a6d640a-0d5b-447a-a5eb-a3e4e513b167"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b231cf8179"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:51:55Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:51:55Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-9e14c12f19c604b3b6aacc03bac6cb08-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-04T07:51:53+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T07:51:42Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://14ffdfed62c6d5454dfef0b3102573d6c2b60720c40a08fec8c399958aec8bbb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:51:53Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-04T07:51:53+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:51:52Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://762e049dc09cdcc527a888992536953ce4a3f226cb94721d585366d7eff75958",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:51:54Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-04T07:51:53+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:51:54Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/commit_sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ztjczs",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-mjm46",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa/records/2b902176-478e-42f8-9ca6-f3f82dda9049",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:08:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRunUID": "8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-component-o8492g-on-pull-request-mjm46-apply-tags",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-mjm46",
                        "uid": "8dd65380-6fb8-49a5-bf16-956d36ea5daa"
                    }
                ],
                "resourceVersion": "46291",
                "uid": "2b902176-478e-42f8-9ca6-f3f82dda9049"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:09:16Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:09:16Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-pull-request-mjm46-apply-tags-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-04T08:08:20Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8640b1005f75ebe069ba85335b649b3a1792aaccdeb246c3dd7a2c1f7abc5896",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:09:04Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:09:03Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                                "--digest",
                                "sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/commit_sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-ba96da86bf",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ztjczs",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-mjm46",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa/records/f489ec8a-545b-4cd1-bc24-1ea35d34fbf3",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:05:33Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRunUID": "8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-component-o8492g-on-pull-request-mjm46-build-container",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-mjm46",
                        "uid": "8dd65380-6fb8-49a5-bf16-956d36ea5daa"
                    }
                ],
                "resourceVersion": "44617",
                "uid": "f489ec8a-545b-4cd1-bc24-1ea35d34fbf3"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b7ea37f353"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:08:01Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:08:01Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-69ee1ce33594bf0f087f00089cc34720-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69@sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:792f142b7a0f51041e7c874ebc60ee33c6576ad21e8344cfcea93d22c01c117d"
                    }
                ],
                "startTime": "2026-07-04T08:05:33Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://fe0511a4af7a422ef4da31c6cf4f458690753f54c74776dc4acd3431b62feda2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:06:06Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:05:40Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://28cf32c2baaae24534dabfd22c1681b72685bc8b5f92f2fe40c0a8c48c408d3f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:06:49Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69@sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:06:07Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://409cb4409e5ad2eb9d23c242640caf399a35375ea757cfe4364b016bc2ef4861",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:07:11Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69@sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:06:50Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://0b9d0a8b8dc9e5735e658fd96d5679f1ac716510688ee103cb1f0c63263e27ce",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:07:33Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69@sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:07:11Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://621dcedd4b16e9757ef29ada6cf4286a0b7cf5fb858f2a3f185a91775d237202",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:08:00Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69@sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:792f142b7a0f51041e7c874ebc60ee33c6576ad21e8344cfcea93d22c01c117d\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:07:34Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "python-component"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "docker/Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "python-component-o8492g-on-pull-request-mjm46-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/commit_sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ztjczs",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-mjm46",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa/records/53273184-4b5c-4d95-8d0a-08d0614213cf",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:08:01Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRunUID": "8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-component-o8492g-on-pull-request-mjm46-build-image-index",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-mjm46",
                        "uid": "8dd65380-6fb8-49a5-bf16-956d36ea5daa"
                    }
                ],
                "resourceVersion": "45577",
                "uid": "53273184-4b5c-4d95-8d0a-08d0614213cf"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69@sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:08:14Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:08:14Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-a4821f00b96a317e9913175ece063b34-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                    }
                ],
                "startTime": "2026-07-04T08:08:01Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2f3e957b620b98dc17ad5cda5430ee92bc8150f45fd9d7f0dadfa2e2dd93873a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:08:08Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:08:06Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://787f45b26cb878a957723c7781d6d071cbef9df9116a3446c7141a82d3885553",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:08:09Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:08:09Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://edbb42bc1aba625158252e25093171c40263b38af75cb70a4c2125d29a30a7a5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:08:12Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:08:09Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69@sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:python-component-o8492g-on-pull-request-mjm46-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:python-component-o8492g-on-pull-request-mjm46-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/commit_sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ztjczs",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-mjm46",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa/records/0bbcb275-8377-4c7b-af2a-2c2a8f32dc64",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:08:15Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRunUID": "8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-component-o8492g-on-pull-request-mjm46-clair-scan",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-mjm46",
                        "uid": "8dd65380-6fb8-49a5-bf16-956d36ea5daa"
                    }
                ],
                "resourceVersion": "48158",
                "uid": "0bbcb275-8377-4c7b-af2a-2c2a8f32dc64"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:10:07Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:10:07Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-pull-request-mjm46-clair-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69\", \"digests\": [\"sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\":\"sha256:0176ccbafc9d727ddb8c840c6ed0ef9551598c3e22f2867f900675823e6d72ce\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":331,\"medium\":873,\"low\":241,\"unknown\":2},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":4,\"medium\":489,\"low\":633,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:10:06+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:08:16Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://98a66e757d9a1336db3ee4be2f27e7b6d903e4b17696d33580b9ff806f883229",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:08:57Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:08:53Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5ddcc3c797360865e45159abc9fae011a9af810037cd694e11a5653cb455c075",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:09:37Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:08:58Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://93837cab4217c1106faff913552348d1eecdcd25d46c6d3f4f01590367e8dce7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:09:40Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:09:37Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a6fb818fd89f46225f85589fcdeba5c67cd22ed7573f707380eea397728839d5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:10:06Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69\\\", \\\"digests\\\": [\\\"sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\\\":\\\"sha256:0176ccbafc9d727ddb8c840c6ed0ef9551598c3e22f2867f900675823e6d72ce\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":331,\\\"medium\\\":873,\\\"low\\\":241,\\\"unknown\\\":2},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":4,\\\"medium\\\":489,\\\"low\\\":633,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:10:06+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:09:41Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/commit_sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ztjczs",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-mjm46",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa/records/3409a239-71ac-46f0-bb41-3b6e96620b09",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:08:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRunUID": "8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-component-o8492g-on-pull-request-mjm46-clamav-scan",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-mjm46",
                        "uid": "8dd65380-6fb8-49a5-bf16-956d36ea5daa"
                    }
                ],
                "resourceVersion": "47754",
                "uid": "3409a239-71ac-46f0-bb41-3b6e96620b09"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:09:57Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:09:57Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-pull-request-mjm46-clamav-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69\", \"digests\": [\"sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1783152594\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-04T08:08:18Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:c99765a1c1493f281d776f3f589960cb21a344733f36cf7d755479a56edb937b",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://25f5b9abe63773753daf177b53e0f166a3c62bdefdd346e911bfbd45616af7fb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:09:54Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69\\\", \\\"digests\\\": [\\\"sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783152594\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:09:04Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://883f7e2c49c31ee61ed42b3a28ed075268fec57f44ff4aa0d1f98d7bb5fba957",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:09:56Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69\\\", \\\"digests\\\": [\\\"sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783152594\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:09:54Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/commit_sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-ba96da86bf",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ztjczs",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-mjm46",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa/records/cdea4ac8-1d6a-4a38-9eac-1a0b6ee6e64e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:05:15Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRunUID": "8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-component-o8492g-on-pull-request-mjm46-clone-repository",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-mjm46",
                        "uid": "8dd65380-6fb8-49a5-bf16-956d36ea5daa"
                    }
                ],
                "resourceVersion": "43516",
                "uid": "cdea4ac8-1d6a-4a38-9eac-1a0b6ee6e64e"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "revision",
                        "value": "a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b7ea37f353"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-ztjczs"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:05:21Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:05:21Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-378fcf1194ed5d94c74f7cc451b67544-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1783152285"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "a3d849d"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    }
                ],
                "startTime": "2026-07-04T08:05:15Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b353b34b2ef88cd97e71c9b78b61942990dc857374cf0b30e8e88db76072845f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:05:20Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783152285\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"a3d849d\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:05:19Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://bf60f2d364e8c2b0f15044c55d48ff1e9f9c05fe52ac4e7fc3266a59db063c8d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:05:20Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783152285\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"a3d849d\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:05:20Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/commit_sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ztjczs",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-mjm46",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa/records/9c250b06-1384-423f-b027-cefa611064d7",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:05:07Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRunUID": "8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-component-o8492g-on-pull-request-mjm46-init",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-mjm46",
                        "uid": "8dd65380-6fb8-49a5-bf16-956d36ea5daa"
                    }
                ],
                "resourceVersion": "43490",
                "uid": "9c250b06-1384-423f-b027-cefa611064d7"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:05:12Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:05:12Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-pull-request-mjm46-init-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-04T08:05:08Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b5a10565b8182752670e59172d2da8e9bf24fd9de42f2a3410623d74a8e71c7e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:05:12Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:05:12Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/commit_sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-ba96da86bf",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ztjczs",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-mjm46",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa/records/6df493e6-22a5-46a2-9352-1dbb46af565e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:08:17Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRunUID": "8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-component-o8492g-on-pull-request-mjm46-push-dockerfile",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-mjm46",
                        "uid": "8dd65380-6fb8-49a5-bf16-956d36ea5daa"
                    }
                ],
                "resourceVersion": "46984",
                "uid": "6df493e6-22a5-46a2-9352-1dbb46af565e"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b7ea37f353"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:09:28Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:09:28Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-c0e92148efd84f0ed377e26322950def-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:2600c715e34950972455090a3056015beef855e48c4100429d6e0b2cacb93bf5"
                    }
                ],
                "startTime": "2026-07-04T08:08:21Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://29bede297e73bb7c251df8ae6d362a19c44a46ac070968766c4bedd10c819b75",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:09:19Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:2600c715e34950972455090a3056015beef855e48c4100429d6e0b2cacb93bf5\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:09:18Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                "python-component",
                                "--containerfile",
                                "docker/Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                                "--image-digest",
                                "sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/commit_sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-ba96da86bf",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ztjczs",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-mjm46",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa/records/f5c63c83-86ba-488f-aed7-d24e0bf73a6e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:08:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRunUID": "8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-component-o8492g-on-pull-request-mjm46-sast-shell-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-mjm46",
                        "uid": "8dd65380-6fb8-49a5-bf16-956d36ea5daa"
                    }
                ],
                "resourceVersion": "46824",
                "uid": "f5c63c83-86ba-488f-aed7-d24e0bf73a6e"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b7ea37f353"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:09:28Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:09:28Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-84f121b3ad502f11864b18306271da3f-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:09:20+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:08:19Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://279959f2a633fd7f5e2d57f085051c3b288875027da9ed7aa201721bcbe7046f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:09:20Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:09:20+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:09:19Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c6f41d5448676e90ff9da1863cf1d30b439f78f22d1d31265b086d9c651dabad",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:09:22Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:09:20+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:09:21Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/commit_sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-ba96da86bf",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ztjczs",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-mjm46",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa/records/543e056c-b3f0-42f1-8835-32ec890b5a7b",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:08:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRunUID": "8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-component-o8492g-on-pull-request-mjm46-sast-snyk-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-mjm46",
                        "uid": "8dd65380-6fb8-49a5-bf16-956d36ea5daa"
                    }
                ],
                "resourceVersion": "46518",
                "uid": "543e056c-b3f0-42f1-8835-32ec890b5a7b"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b7ea37f353"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:09:28Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:09:28Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-77836ef21ad7435381e2505bd7d5e919-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-04T08:09:20+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:08:17Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8bb0e016f11b36baa0538831fe2a3b6ac95d411a8d702e9749e1378f26788583",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:09:21Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-04T08:09:20+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:09:19Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a296df359500ea067dba594ef57892931ecd510247fe7fc524d9d6db6b552054",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:09:21Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-04T08:09:20+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:09:21Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/commit_sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-pvrvgp",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-s94lj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768/records/5a6cc51c-9a36-4697-b129-2ee2a96278a7",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-to3mhk-on-pull-request-66fm6 is running for component go-component-to3mhk, waiting for it to create a new group Snapshot for PR group pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:02:10Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRunUID": "a8a9ec97-f287-45e5-8b99-a20541595768",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-component-o8492g-on-pull-request-s94lj-apply-tags",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-s94lj",
                        "uid": "a8a9ec97-f287-45e5-8b99-a20541595768"
                    }
                ],
                "resourceVersion": "40389",
                "uid": "5a6cc51c-9a36-4697-b129-2ee2a96278a7"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:03:01Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:03:01Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-pull-request-s94lj-apply-tags-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-04T08:02:21Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ffdf5b7eb439e8fb22f3c63bc66d36fdaeffbb107decd56972b64d8fabe49b64",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:02:59Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:02:58Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                                "--digest",
                                "sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/commit_sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-a9bb251948",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-pvrvgp",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-s94lj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768/records/01c970de-1962-4aaa-8d76-ccd1e6046023",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-to3mhk-on-pull-request-66fm6 is running for component go-component-to3mhk, waiting for it to create a new group Snapshot for PR group pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:58:58Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRunUID": "a8a9ec97-f287-45e5-8b99-a20541595768",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-component-o8492g-on-pull-request-s94lj-build-container",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-s94lj",
                        "uid": "a8a9ec97-f287-45e5-8b99-a20541595768"
                    }
                ],
                "resourceVersion": "39138",
                "uid": "01c970de-1962-4aaa-8d76-ccd1e6046023"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-afda626e43"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:01:47Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:01:47Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-c905f9f2955cf0a2e599f8afd30adb59-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a@sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:b393b0bd46fa02c853b0b61ecddee26fbc4af5c9c0eee638f2e52e444b824250"
                    }
                ],
                "startTime": "2026-07-04T07:58:58Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://fe55ecb66ccd8a007a28b68d3b4c0260dba2cdba7818cd11cd1091819cb552e1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:59:52Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:59:07Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://49d73d2f6bb8c312ddf407c07ebbc11f8cf4eaf25cf00966798b2e3e395f1b84",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:00:28Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a@sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:59:53Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d8e348f8fa190d3631513236c6adb01743b935c63d10b4de3702a13bebfb9f74",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:00:51Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a@sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:00:29Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://499c855f61fb08ffbc02da8c0fb3032d920fb2a703b7254f276122281e9939b3",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:19Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a@sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:00:52Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9fd71ed5bff39d1e0a0d6fe0e5f6224510061eb12651a3295897c6ed241784c6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:01:46Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a@sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:b393b0bd46fa02c853b0b61ecddee26fbc4af5c9c0eee638f2e52e444b824250\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:19Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "python-component"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "docker/Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "python-component-o8492g-on-pull-request-s94lj-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/commit_sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-pvrvgp",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-s94lj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768/records/06df7bed-b024-4e94-ac27-b238c9016c85",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-to3mhk-on-pull-request-66fm6 is running for component go-component-to3mhk, waiting for it to create a new group Snapshot for PR group pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:01:50Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRunUID": "a8a9ec97-f287-45e5-8b99-a20541595768",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-component-o8492g-on-pull-request-s94lj-build-image-index",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-s94lj",
                        "uid": "a8a9ec97-f287-45e5-8b99-a20541595768"
                    }
                ],
                "resourceVersion": "39189",
                "uid": "06df7bed-b024-4e94-ac27-b238c9016c85"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a@sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:02:08Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:02:08Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-d494c6a2a6a1774b537d1adf3408fda8-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                    }
                ],
                "startTime": "2026-07-04T08:01:50Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8001763ad64879dc01086526609588a2c8d2b08ef8acce81c1cba095ab37e15e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:02:00Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:01:56Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://333d4336f78b970ffedfc751e04b9acf6ebda16367b4900aea346edf639c3b87",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:02:00Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:02:00Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3875f4069dc8c7a5ccc5846df2cc5d88dc5c340aa4839dcabb8391aad55bf695",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:02:06Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:02:00Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a@sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:python-component-o8492g-on-pull-request-s94lj-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:python-component-o8492g-on-pull-request-s94lj-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/commit_sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-pvrvgp",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-s94lj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768/records/0d4c98df-2a88-4ee4-ad39-8419d0319eca",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-to3mhk-on-pull-request-66fm6 is running for component go-component-to3mhk, waiting for it to create a new group Snapshot for PR group pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:02:09Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRunUID": "a8a9ec97-f287-45e5-8b99-a20541595768",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-component-o8492g-on-pull-request-s94lj-clair-scan",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-s94lj",
                        "uid": "a8a9ec97-f287-45e5-8b99-a20541595768"
                    }
                ],
                "resourceVersion": "43101",
                "uid": "0d4c98df-2a88-4ee4-ad39-8419d0319eca"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:04:25Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:04:25Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-pull-request-s94lj-clair-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\", \"digests\": [\"sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\":\"sha256:446dc6d65305240d16d4b702d99ce643afdc67cb3bbf50035175e9fd3ce646f3\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":331,\"medium\":873,\"low\":241,\"unknown\":2},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":4,\"medium\":489,\"low\":633,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:04:24+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:02:09Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6affe9e189ec2111e50c90ad2a586104dc69c66ee267121ad5a4cde058921a71",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:02Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:02:57Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c7e2373a32810674c84fb8d18624a58dd1c2a495e7eeda965d7090c627086ebb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:55Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:02Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b8320a44c53483e94ab3adaaa3149c2e1663913461fcca7e31818bd4f1149469",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:59Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:55Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://07c8c5cae2b72073cd58fc42f19301300881053c137f9eb9349bf40d2a8192ce",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:04:24Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\\\", \\\"digests\\\": [\\\"sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\\\":\\\"sha256:446dc6d65305240d16d4b702d99ce643afdc67cb3bbf50035175e9fd3ce646f3\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":331,\\\"medium\\\":873,\\\"low\\\":241,\\\"unknown\\\":2},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":4,\\\"medium\\\":489,\\\"low\\\":633,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:04:24+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:59Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/commit_sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-pvrvgp",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-s94lj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768/records/939c745e-6969-4bfa-b193-5a805eda0098",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-to3mhk-on-pull-request-66fm6 is running for component go-component-to3mhk, waiting for it to create a new group Snapshot for PR group pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:02:09Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRunUID": "a8a9ec97-f287-45e5-8b99-a20541595768",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-component-o8492g-on-pull-request-s94lj-clamav-scan",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-s94lj",
                        "uid": "a8a9ec97-f287-45e5-8b99-a20541595768"
                    }
                ],
                "resourceVersion": "41449",
                "uid": "939c745e-6969-4bfa-b193-5a805eda0098"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:03:53Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:03:53Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-pull-request-s94lj-clamav-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\", \"digests\": [\"sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1783152229\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-04T08:02:12Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:c99765a1c1493f281d776f3f589960cb21a344733f36cf7d755479a56edb937b",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2dda1d3c5e2c1459f79714411507ae85e485061e6168b3390c1c6579e7d2ea05",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:50Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\\\", \\\"digests\\\": [\\\"sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783152229\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:02:58Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://0c6c51f8c4190aa811dfafe06d2570d7f2f526413072e45bc1f4bcb609891fea",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:52Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\\\", \\\"digests\\\": [\\\"sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783152229\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:50Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/commit_sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-a9bb251948",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-pvrvgp",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-s94lj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768/records/401ab136-c857-4bcc-9b31-b4aca4eb6e1f",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-to3mhk-on-pull-request-66fm6 is running for component go-component-to3mhk, waiting for it to create a new group Snapshot for PR group pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:58:38Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRunUID": "a8a9ec97-f287-45e5-8b99-a20541595768",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-component-o8492g-on-pull-request-s94lj-clone-repository",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-s94lj",
                        "uid": "a8a9ec97-f287-45e5-8b99-a20541595768"
                    }
                ],
                "resourceVersion": "35717",
                "uid": "401ab136-c857-4bcc-9b31-b4aca4eb6e1f"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "revision",
                        "value": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-afda626e43"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-pvrvgp"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:58:44Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:58:44Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-4cea122a2f6894bfe1ca81fe807e8296-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1783151861"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "0ad7227"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    }
                ],
                "startTime": "2026-07-04T07:58:38Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4944836d7f20ddc3373d418cf45805871b9658b00b3844cb00ca8d90cb519fbb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:58:43Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783151861\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"0ad7227\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:58:42Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://75396e6ef84ee7921d4d7f7d4c3ccd9a108a77550d3f49cbe830abf57425a5c3",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:58:43Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783151861\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"0ad7227\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:58:43Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/commit_sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-pvrvgp",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-s94lj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768/records/c03486fa-ef1c-4ffc-9f8a-be9163d2644d",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-to3mhk-on-pull-request-66fm6 is running for component go-component-to3mhk, waiting for it to create a new group Snapshot for PR group pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:58:28Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRunUID": "a8a9ec97-f287-45e5-8b99-a20541595768",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-component-o8492g-on-pull-request-s94lj-init",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-s94lj",
                        "uid": "a8a9ec97-f287-45e5-8b99-a20541595768"
                    }
                ],
                "resourceVersion": "35565",
                "uid": "c03486fa-ef1c-4ffc-9f8a-be9163d2644d"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:58:33Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:58:33Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-pull-request-s94lj-init-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-04T07:58:28Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://279f261811133b06cbff4df4257a05258bfae1c2b5935d45b294bba8966df3ef",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:58:32Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:58:32Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/commit_sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-a9bb251948",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-pvrvgp",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-s94lj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768/records/0f5ff82e-b1b1-4a7a-87dc-8ebbf31fc07d",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-to3mhk-on-pull-request-66fm6 is running for component go-component-to3mhk, waiting for it to create a new group Snapshot for PR group pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:02:10Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRunUID": "a8a9ec97-f287-45e5-8b99-a20541595768",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-component-o8492g-on-pull-request-s94lj-push-dockerfile",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-s94lj",
                        "uid": "a8a9ec97-f287-45e5-8b99-a20541595768"
                    }
                ],
                "resourceVersion": "40451",
                "uid": "0f5ff82e-b1b1-4a7a-87dc-8ebbf31fc07d"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-afda626e43"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:03:06Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:03:06Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-8b7da9587bd96f7d98e54f5d4131df2f-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:7165ac2cfc452464492cd4370cced1aa5247c3d5eda57a2f3fa80904660a573f"
                    }
                ],
                "startTime": "2026-07-04T08:02:22Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3bdb6ee4d92c9559afeaa36a8418f7c0d1feb527c0f67a1444b211079c0b6481",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:03Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:7165ac2cfc452464492cd4370cced1aa5247c3d5eda57a2f3fa80904660a573f\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:02Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                "python-component",
                                "--containerfile",
                                "docker/Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                                "--image-digest",
                                "sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/commit_sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-a9bb251948",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-pvrvgp",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-s94lj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768/records/d0681bc2-a3e0-4e50-bd25-6b23c5109879",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-to3mhk-on-pull-request-66fm6 is running for component go-component-to3mhk, waiting for it to create a new group Snapshot for PR group pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:02:10Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRunUID": "a8a9ec97-f287-45e5-8b99-a20541595768",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-component-o8492g-on-pull-request-s94lj-sast-shell-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-s94lj",
                        "uid": "a8a9ec97-f287-45e5-8b99-a20541595768"
                    }
                ],
                "resourceVersion": "41650",
                "uid": "d0681bc2-a3e0-4e50-bd25-6b23c5109879"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-afda626e43"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:03:49Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:03:49Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-b953b498b00aaae78bc8cd6e90704bab-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:03:21+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:02:14Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://1d5521636d121ba90e29bba3589dee84d2a2785e2c355290c91061157bc3cb07",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:21Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:03:21+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:11Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://47297d0d73b3da73e9502b6b90bb85dfc562e16771bb752fc92231b12fa473a2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:23Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:03:21+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:22Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/commit_sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-a9bb251948",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-pvrvgp",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-s94lj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768/records/2943c7eb-e0bd-473b-a9b1-f9a5d99f9c4e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-to3mhk-on-pull-request-66fm6 is running for component go-component-to3mhk, waiting for it to create a new group Snapshot for PR group pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:02:09Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRunUID": "a8a9ec97-f287-45e5-8b99-a20541595768",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-component-o8492g-on-pull-request-s94lj-sast-snyk-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-s94lj",
                        "uid": "a8a9ec97-f287-45e5-8b99-a20541595768"
                    }
                ],
                "resourceVersion": "41385",
                "uid": "2943c7eb-e0bd-473b-a9b1-f9a5d99f9c4e"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-afda626e43"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:03:49Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:03:49Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-a9446e8eabafdf8453c272178640b20a-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-04T08:03:07+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:02:10Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d34c8680afc2e9879d845baad923e347eb2e87e59def87d7e5c54efd992f886b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:07Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-04T08:03:07+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:04Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://fbf3693a507efdc9a15b1d806dd485633a2d8df65f672d9005f0f10cfacaa0ed",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:08Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-04T08:03:07+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:08Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/commit_sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ztjczs",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-mjm46",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa/records/11c42a26-21b3-4fe8-89a4-c4ac5436d055",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3d849d3811a50d612dac0497d5b1e40bfa33f69\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:08:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85116260290",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "a3d849d3811a50d612dac0497d5b1e40bfa33f69",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-mjm46",
                    "tekton.dev/pipelineRunUID": "8dd65380-6fb8-49a5-bf16-956d36ea5daa",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-component-o8492g-on-pull468021d183651053f92e3a1724a3fe70",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-mjm46",
                        "uid": "8dd65380-6fb8-49a5-bf16-956d36ea5daa"
                    }
                ],
                "resourceVersion": "47246",
                "uid": "11c42a26-21b3-4fe8-89a4-c4ac5436d055"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:09:47Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:09:47Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-77775dcfd0fdccac1667957d90f7704c-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69\", \"digests\": [\"sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783152586\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-04T08:08:17Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://e9c8c29b9ca56ddce46e182253cee50d630df0ee7124aade3445d75137835733",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:08:54Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:08:53Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://a55256425fd4718b375bf8cb5c62d2a42f26da4ba5caf68bef5c9382d76aaf27",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:08:54Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:08:54Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://dd22f9d2914c69a2307b52bd1174e670ed5a6140b44e0291de2921bd52795737",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:08:55Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:08:55Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9f408f2ffb6b280dce1869fb641d8e67aaab44347ec4ef95fc542789708c76b9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:09:45Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:08:56Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69\", \"digests\": [\"sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783152586\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://bb84057f59b6fda1a5875381648cd92541368c25fde2eabe357a9deb03be18de",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:09:46Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69\\\", \\\"digests\\\": [\\\"sha256:b808a75e009a323d000942fbc8c2b5c556e8f309318cfb86edf5c37460d0c0ba\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783152586\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:09:46Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783152586\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://dc544edf75f140f9a9fcf31f5573a57e62b1e751ed493a3e244ace2bd0289a93",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:09:46Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783152586\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:09:46Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-a3d849d3811a50d612dac0497d5b1e40bfa33f69"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/commit_sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "build.appstudio.redhat.com/pull_request_number": "22785",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dinoci",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-6bjvc",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-o8492g",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa/records/9610d891-cd6a-4068-aeb2-0bf156080efe",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"6a0621b35c52ef553ce9184f2652a7cbe69e944e\",\"eventType\":\"pull_request\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-o8492g",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T07:51:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115321700",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "6a0621b35c52ef553ce9184f2652a7cbe69e944e",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-6bjvc",
                    "tekton.dev/pipelineRunUID": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "411c475ea14d939cb2234552c1f08bff23032c9baf20db8754f54833140103"
                },
                "name": "python-component-o8492g-on-pull7c26341038183466aa79109d2c892be6",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-6bjvc",
                        "uid": "28ac209a-ac33-4b4a-96b9-2e32d3e3bafa"
                    }
                ],
                "resourceVersion": "28348",
                "uid": "9610d891-cd6a-4068-aeb2-0bf156080efe"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:52:48Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:52:48Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-e2f61f33c1079b920327341eed969636-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e\", \"digests\": [\"sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783151567\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-04T07:51:42Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://7f23a3e188c9f44cffb3b1a0e0f4622d67b5026136d26f1b2080f699c89ef641",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:51:55Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:51:54Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://0b37458f680e9183977998d8a2ff68e28f273c7744cb1044a635515eb92da02c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:51:55Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:51:55Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e755114bff467c743b4b58959738c800929bcd3ce973883b6024358e905b1439",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:51:56Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:51:56Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f01fa8e7a513a94e8a6fd525a072d8ad7a133d6e2dcd8b4c434c44b797dc7c50",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:52:46Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:51:56Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e\", \"digests\": [\"sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783151567\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://75a2b1cc28150e63cf544334799f8e192c618c7698103215c5945227c6a862ad",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:52:47Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e\\\", \\\"digests\\\": [\\\"sha256:9aa589818339f7941cdd4d337fa123982987c40e5eb7ec43526f14e6739f9bb7\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783151567\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:52:47Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783151567\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://b96779d32cd50ad1b8fb12c92dbb01d162c9a3e19932de181bd5f2477839ea70",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:52:48Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783151567\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:52:48Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-6a0621b35c52ef553ce9184f2652a7cbe69e944e"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/commit_sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "build.appstudio.redhat.com/pull_request_number": "22786",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-pvrvgp",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-pull-request-s94lj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-vjb1zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768/records/0795d1f1-26a1-4904-9609-17813e6908c9",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\",\"eventType\":\"pull_request\",\"pull_request-id\":22786}",
                    "results.tekton.dev/result": "group-7qfh/results/a8a9ec97-f287-45e5-8b99-a20541595768",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-to3mhk-on-pull-request-66fm6 is running for component go-component-to3mhk, waiting for it to create a new group Snapshot for PR group pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-vjb1zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:02:09Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85115824257",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22786",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "0ad72279ed6a8641ebbcd0c87d62fb6d773c958a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-pull-request-s94lj",
                    "tekton.dev/pipelineRunUID": "a8a9ec97-f287-45e5-8b99-a20541595768",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "406381399dab51dadb5523b62e71436cc7fded1c3dcfef3a5d1c065fe7008a"
                },
                "name": "python-component-o8492g-on-pulla1d44d82a63c1167edd1b7072bcb59fb",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-pull-request-s94lj",
                        "uid": "a8a9ec97-f287-45e5-8b99-a20541595768"
                    }
                ],
                "resourceVersion": "42971",
                "uid": "0795d1f1-26a1-4904-9609-17813e6908c9"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:04:12Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:04:12Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-6aa8d1d976044f89b14949960f06ebf6-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\", \"digests\": [\"sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783152251\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-04T08:02:09Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://bbbcc274a765f66187bfa8b6e309cc0d7159d4732d1bf575191ed235f306a9e7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:09Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:07Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://0050af9a090975c22b13afad0bcea4635f41ccc40753fac664c2cfe2d7024034",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:09Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:09Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://fbaceb330c74428defbb797d1afc00a53f4c419929ac08fad2f00948c7aadc33",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:03:09Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:09Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://752e9d3edf495fc96ff1a203cf755c2ca0df4378f0ea2f2329a6d81fb6824931",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:04:10Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:03:09Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\", \"digests\": [\"sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783152251\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://d8a93406b326ab24079c777ae322838c665368e73b790ee6aa5c1ac0d83103cb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:04:11Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a\\\", \\\"digests\\\": [\\\"sha256:070a012b90a51754f83c9c8e2a4b842122843959ed74bcef0475b068bbfa13bf\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783152251\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:04:11Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783152251\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://b3f7b519e548f6d5b313ce19baf8d57d64a0696bd1ccc23080c14e6dbae3fec0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:04:12Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783152251\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:04:12Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:on-pr-0ad72279ed6a8641ebbcd0c87d62fb6d773c958a"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/commit_sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-sjqlhk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-push-xhwmr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22785 from redhat-appstudio-qe/konflux-python-component-o8492g\n\nkonflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe/records/7262419a-b757-49fa-91ee-9e265f633ccb",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"eventType\":\"push\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T07:56:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRunUID": "ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags"
                },
                "name": "python-component-o8492g-on-push-xhwmr-apply-tags",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-push-xhwmr",
                        "uid": "ec42af81-ffa5-4a81-96de-6fa12613a8fe"
                    }
                ],
                "resourceVersion": "33148",
                "uid": "7262419a-b757-49fa-91ee-9e265f633ccb"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:56:55Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:56:55Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-push-xhwmr-apply-tags-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-04T07:56:44Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7edf66566792588618433a4e3495f80cc068640368088c4f2eb2ff4330624ff8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:54Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:53Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba",
                                "--digest",
                                "sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/commit_sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-44ba997b2f",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-sjqlhk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-push-xhwmr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22785 from redhat-appstudio-qe/konflux-python-component-o8492g\n\nkonflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe/records/b0c49280-ce6a-4fad-bf42-8c37e8ac15b9",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"eventType\":\"push\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T07:54:05Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRunUID": "ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah"
                },
                "name": "python-component-o8492g-on-push-xhwmr-build-container",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-push-xhwmr",
                        "uid": "ec42af81-ffa5-4a81-96de-6fa12613a8fe"
                    }
                ],
                "resourceVersion": "32199",
                "uid": "b0c49280-ce6a-4fad-bf42-8c37e8ac15b9"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": ""
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "8c40e1090906bb6721c31ef7d1e611755dee5fba"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-4910d06fd6"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:56:30Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:56:30Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-push-xhwmr-build-container-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba@sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:b55232221ede3a502fcbc01889c8716ce41773f69707b58521d97ad1618de7c3"
                    }
                ],
                "startTime": "2026-07-04T07:54:06Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2e4ed2210e26a44f925a9236e1a2320d13b83c67afd00cde631797718f61409c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:54:38Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:54:13Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ae0ac85c3e1aa1533d6ddb28addb8c0df76f56a8f0c5a52c51e3aa3b91d3a8b9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:55:15Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba@sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:54:38Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e7354b274d6edd92bc21b7b8de70421213b4f7b073b81bcff0b16aad79ade47c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:55:37Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba@sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:55:15Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://19674f9e1e6ac1d1a92ec30bc7759a4732e103d5b90c31d8efa8c6bbf99e6e56",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:55:59Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba@sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:55:37Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ed1610f2be4793dde8628ed704deafcb9c91b982648548f3db72c9a8fc005bed",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:28Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba@sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:b55232221ede3a502fcbc01889c8716ce41773f69707b58521d97ad1618de7c3\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:00Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "python-component"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "8c40e1090906bb6721c31ef7d1e611755dee5fba"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "docker/Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "python-component-o8492g-on-push-xhwmr-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/commit_sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-sjqlhk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-push-xhwmr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22785 from redhat-appstudio-qe/konflux-python-component-o8492g\n\nkonflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe/records/bd906e0d-fbb8-48c6-b78d-b733b896fe01",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"eventType\":\"push\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T07:56:30Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRunUID": "ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index"
                },
                "name": "python-component-o8492g-on-push-xhwmr-build-image-index",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-push-xhwmr",
                        "uid": "ec42af81-ffa5-4a81-96de-6fa12613a8fe"
                    }
                ],
                "resourceVersion": "32236",
                "uid": "bd906e0d-fbb8-48c6-b78d-b733b896fe01"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "8c40e1090906bb6721c31ef7d1e611755dee5fba"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": ""
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba@sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:56:41Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:56:41Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-push-xhwmr-build-image-index-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                    }
                ],
                "startTime": "2026-07-04T07:56:30Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c4d4803d7687c409c520037855d34376cba2bbf73e6ca50b6fc84adb075850c9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:37Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:34Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5c8235657b83007e4cab7eb01de7dda14fb7d778ccd98fef09e3912513b82612",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:37Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:37Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://411b84844c636ec8c0cde91faf2b14fb4f6684e6ba5a2e65799048d632c09a0e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:40Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:37Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "8c40e1090906bb6721c31ef7d1e611755dee5fba"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba@sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:python-component-o8492g-on-push-xhwmr-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:python-component-o8492g-on-push-xhwmr-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/commit_sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-sjqlhk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-push-xhwmr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22785 from redhat-appstudio-qe/konflux-python-component-o8492g\n\nkonflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe/records/0d58137d-af26-4cb5-8a06-9f61e7098d87",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"eventType\":\"push\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T07:56:41Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRunUID": "ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan"
                },
                "name": "python-component-o8492g-on-push-xhwmr-clair-scan",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-push-xhwmr",
                        "uid": "ec42af81-ffa5-4a81-96de-6fa12613a8fe"
                    }
                ],
                "resourceVersion": "35218",
                "uid": "0d58137d-af26-4cb5-8a06-9f61e7098d87"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:58:05Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:58:05Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-push-xhwmr-clair-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba\", \"digests\": [\"sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\":\"sha256:227b71382c011a60fc9f0679a1ded32055a466efa29b9f3522468ba504589fc2\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":331,\"medium\":873,\"low\":241,\"unknown\":2},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":4,\"medium\":489,\"low\":633,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T07:58:04+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T07:56:41Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6ee4bb604af3a800958649f8f72624c2ea80cdd29b5bc29df4b0f383055bc78b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:59Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:55Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ce9a8e4c3cb3be6e91a28b3c70c5f67d4b10cce1e97be0e2db67f92a1a2bc309",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:57:38Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:57:00Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4aa393464ba39465e0ce905f848230842c30d1f77305182cbdb42c77bd7788df",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:57:41Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:57:38Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://0d0b3b00bcee9ea95b4816bb12d6d3697fc5b609da6f06c5388772399e10720b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:58:04Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba\\\", \\\"digests\\\": [\\\"sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\\\":\\\"sha256:227b71382c011a60fc9f0679a1ded32055a466efa29b9f3522468ba504589fc2\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":331,\\\"medium\\\":873,\\\"low\\\":241,\\\"unknown\\\":2},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":4,\\\"medium\\\":489,\\\"low\\\":633,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T07:58:04+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:57:41Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/commit_sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-sjqlhk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-push-xhwmr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22785 from redhat-appstudio-qe/konflux-python-component-o8492g\n\nkonflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe/records/d76f432b-d2b0-4c43-9ba0-8e0df08951d4",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"eventType\":\"push\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T07:56:41Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRunUID": "ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan"
                },
                "name": "python-component-o8492g-on-push-xhwmr-clamav-scan",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-push-xhwmr",
                        "uid": "ec42af81-ffa5-4a81-96de-6fa12613a8fe"
                    }
                ],
                "resourceVersion": "34130",
                "uid": "d76f432b-d2b0-4c43-9ba0-8e0df08951d4"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:57:47Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:57:47Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-push-xhwmr-clamav-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba\", \"digests\": [\"sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1783151863\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-04T07:56:42Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:c99765a1c1493f281d776f3f589960cb21a344733f36cf7d755479a56edb937b",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://adfad39c9d95b77071d620554f038dea0a1d5d048ce85fa77039219522702a56",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:57:43Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba\\\", \\\"digests\\\": [\\\"sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783151863\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:53Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a13651aead7e0573cb08d71be950b182e85793860a33d5022c4bd950ca7a58ce",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:57:46Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba\\\", \\\"digests\\\": [\\\"sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783151863\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:57:44Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/commit_sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-44ba997b2f",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-sjqlhk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-push-xhwmr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22785 from redhat-appstudio-qe/konflux-python-component-o8492g\n\nkonflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe/records/f9323936-6252-4fa1-bb42-e3a42fd8ac62",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"eventType\":\"push\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T07:53:44Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRunUID": "ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone"
                },
                "name": "python-component-o8492g-on-push-xhwmr-clone-repository",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-push-xhwmr",
                        "uid": "ec42af81-ffa5-4a81-96de-6fa12613a8fe"
                    }
                ],
                "resourceVersion": "29671",
                "uid": "f9323936-6252-4fa1-bb42-e3a42fd8ac62"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "revision",
                        "value": "8c40e1090906bb6721c31ef7d1e611755dee5fba"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-4910d06fd6"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-sjqlhk"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:53:51Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:53:51Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-push-xhwmr-clone-repository-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "8c40e1090906bb6721c31ef7d1e611755dee5fba"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "8c40e1090906bb6721c31ef7d1e611755dee5fba"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1783151588"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "8c40e10"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    }
                ],
                "startTime": "2026-07-04T07:53:45Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://dc51ba278db7c7e89c8348733f5d40d12b5d7dbbffd43c030f20fc95f5a3248d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:53:49Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783151588\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"8c40e10\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:53:49Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2f3bb3c7d6f89e22864eb737a0859d28c1730bf2135619fe901c616f43844387",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:53:50Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783151588\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"8c40e10\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:53:50Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "8c40e1090906bb6721c31ef7d1e611755dee5fba"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/commit_sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-sjqlhk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-push-xhwmr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22785 from redhat-appstudio-qe/konflux-python-component-o8492g\n\nkonflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe/records/74c71292-6192-4c46-af5c-ec6b9b8a9ca5",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"eventType\":\"push\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T07:53:37Z",
                "finalizers": [
                    "results.tekton.dev/taskrun",
                    "chains.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRunUID": "ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init"
                },
                "name": "python-component-o8492g-on-push-xhwmr-init",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-push-xhwmr",
                        "uid": "ec42af81-ffa5-4a81-96de-6fa12613a8fe"
                    }
                ],
                "resourceVersion": "29444",
                "uid": "74c71292-6192-4c46-af5c-ec6b9b8a9ca5"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:53:41Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:53:41Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-push-xhwmr-init-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-04T07:53:37Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://aebcf544b2ade701696d75fa7dd4b24d4e17059d8bbea487664b2eb00d01fdc5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:53:40Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:53:40Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/commit_sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-44ba997b2f",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-sjqlhk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-push-xhwmr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22785 from redhat-appstudio-qe/konflux-python-component-o8492g\n\nkonflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe/records/2e3df7ba-10b7-4372-b816-9eaf7e07a553",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"eventType\":\"push\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T07:53:53Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRunUID": "ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies"
                },
                "name": "python-component-o8492g-on-push-xhwmr-prefetch-dependencies",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-push-xhwmr",
                        "uid": "ec42af81-ffa5-4a81-96de-6fa12613a8fe"
                    }
                ],
                "resourceVersion": "29870",
                "uid": "2e3df7ba-10b7-4372-b816-9eaf7e07a553"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-4910d06fd6"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-sjqlhk"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:54:03Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:54:03Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-push-xhwmr-prefetch-dependencies-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-04T07:53:54Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://adef48e79514cc5be4f1b1626c1c64155ce7d11e7a37a0b49cbb8c95aa20301b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:54:02Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:53:58Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/commit_sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-44ba997b2f",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-sjqlhk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-push-xhwmr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22785 from redhat-appstudio-qe/konflux-python-component-o8492g\n\nkonflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe/records/d0d497a6-f6c4-4477-830f-389f198cc79c",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"eventType\":\"push\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T07:56:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRunUID": "ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile"
                },
                "name": "python-component-o8492g-on-push-xhwmr-push-dockerfile",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-push-xhwmr",
                        "uid": "ec42af81-ffa5-4a81-96de-6fa12613a8fe"
                    }
                ],
                "resourceVersion": "33163",
                "uid": "d0d497a6-f6c4-4477-830f-389f198cc79c"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-4910d06fd6"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:56:58Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:56:58Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-push-xhwmr-push-dockerfile-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:8bc19f80d7d3243e6061201f75c7bcbeb6c8c3cb4adf68a1bac70ca213ae1f68"
                    }
                ],
                "startTime": "2026-07-04T07:56:45Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://004b42cdfb165f5f38062f491528a1cfea0748988594ebd35cf0a81c703ae9c7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:57Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g@sha256:8bc19f80d7d3243e6061201f75c7bcbeb6c8c3cb4adf68a1bac70ca213ae1f68\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:56Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                "python-component",
                                "--containerfile",
                                "docker/Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba",
                                "--image-digest",
                                "sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/commit_sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-sjqlhk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-push-xhwmr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22785 from redhat-appstudio-qe/konflux-python-component-o8492g\n\nkonflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe/records/afb670ba-5b7b-4147-8c58-f426608cc070",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"eventType\":\"push\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T07:56:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRunUID": "ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan"
                },
                "name": "python-component-o8492g-on-push-xhwmr-rpms-signature-scan",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-push-xhwmr",
                        "uid": "ec42af81-ffa5-4a81-96de-6fa12613a8fe"
                    }
                ],
                "resourceVersion": "34551",
                "uid": "afb670ba-5b7b-4147-8c58-f426608cc070"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:57:42Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:57:42Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-push-xhwmr-rpms-signature-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba\", \"digests\": [\"sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 467, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T07:57:41+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T07:56:46Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ce0b6f753c20a2b2bf6bce070d50dd3be009f1039f4f33a7cb0d7da0790ad7ac",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:57:41Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:57Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8a1493e7f2b073ca2bb12944396d399474f5928db693c8edb209700888eee5b1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:57:42Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba\\\", \\\"digests\\\": [\\\"sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 467, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T07:57:41+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:57:41Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/commit_sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-44ba997b2f",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-sjqlhk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-push-xhwmr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22785 from redhat-appstudio-qe/konflux-python-component-o8492g\n\nkonflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe/records/63fd1c9e-dc19-44ef-8304-410d35d8fa7b",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"eventType\":\"push\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T07:56:41Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRunUID": "ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check"
                },
                "name": "python-component-o8492g-on-push-xhwmr-sast-shell-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-push-xhwmr",
                        "uid": "ec42af81-ffa5-4a81-96de-6fa12613a8fe"
                    }
                ],
                "resourceVersion": "32989",
                "uid": "63fd1c9e-dc19-44ef-8304-410d35d8fa7b"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-4910d06fd6"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:56:59Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:56:59Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-push-xhwmr-sast-shell-check-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T07:56:57+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T07:56:43Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://292a18fc2c538b342442a231e1bbfba498874a1d12f8cdd568e4ff5e2a7b8154",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:57Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T07:56:57+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:56Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d2f13aa04171d0ebf0497dc645757bb99a17cb19b7f8ddc8543627c6cf3d832d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:59Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T07:56:57+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:58Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/commit_sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-44ba997b2f",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-sjqlhk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-push-xhwmr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22785 from redhat-appstudio-qe/konflux-python-component-o8492g\n\nkonflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe/records/47fde9c0-febb-43ac-8406-f34eef22a5a9",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"eventType\":\"push\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T07:56:41Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRunUID": "ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check"
                },
                "name": "python-component-o8492g-on-push-xhwmr-sast-snyk-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-push-xhwmr",
                        "uid": "ec42af81-ffa5-4a81-96de-6fa12613a8fe"
                    }
                ],
                "resourceVersion": "32891",
                "uid": "47fde9c0-febb-43ac-8406-f34eef22a5a9"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-4910d06fd6"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:56:57Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:56:57Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-push-xhwmr-sast-snyk-check-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-04T07:56:56+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T07:56:42Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9a6ea19eaf1747e6b376c7d425da2f119ad87363ee1187b62c14e67edb206764",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:56Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-04T07:56:56+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:55Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://357ea3b57c4e84f5a11fdae5d3e493b296c00a6193a338355d634c57d5be9529",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:56Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-04T07:56:56+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:56Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/commit_sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-44ba997b2f",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-sjqlhk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-push-xhwmr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22785 from redhat-appstudio-qe/konflux-python-component-o8492g\n\nkonflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe/records/8104cd4c-b628-44d4-8dc2-b71d9fbcbef4",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"eventType\":\"push\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T07:56:41Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRunUID": "ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check"
                },
                "name": "python-component-o8492g-on-push-xhwmr-sast-unicode-check",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-push-xhwmr",
                        "uid": "ec42af81-ffa5-4a81-96de-6fa12613a8fe"
                    }
                ],
                "resourceVersion": "33030",
                "uid": "8104cd4c-b628-44d4-8dc2-b71d9fbcbef4"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-4910d06fd6"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:56:58Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:56:58Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-push-xhwmr-sast-unicode-check-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T07:56:57+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T07:56:44Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://03a6dc86bdb7dd1075ad24815d139df0afbde1174f7a6a6f0cccb8bd1744c1cf",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:57Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T07:56:57+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:56Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f48624dc926029654edb3d363af1f282361cafdd7606d9c2f5aaa734cbf16743",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:58Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T07:56:57+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:57Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/commit_sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-pyqj0z",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-sjqlhk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/group-7qfh/pipelinerun/python-component-o8492g-on-push-xhwmr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-pyqj0z\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-o8492g-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22785 from redhat-appstudio-qe/konflux-python-component-o8492g\n\nkonflux-ci e2e-tests update python-component-o8492g",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-pyqj0z",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe/records/8598b3be-77d8-4716-92c2-e715cd80ae6c",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"8c40e1090906bb6721c31ef7d1e611755dee5fba\",\"eventType\":\"push\",\"pull_request-id\":22785}",
                    "results.tekton.dev/result": "group-7qfh/results/ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-04T07:56:41Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-1l6g",
                    "appstudio.openshift.io/component": "python-component-o8492g",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85115576548",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-o8492g-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22785",
                    "pipelinesascode.tekton.dev/repository": "go-component-to3mhk",
                    "pipelinesascode.tekton.dev/sha": "8c40e1090906bb6721c31ef7d1e611755dee5fba",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRun": "python-component-o8492g-on-push-xhwmr",
                    "tekton.dev/pipelineRunUID": "ec42af81-ffa5-4a81-96de-6fa12613a8fe",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks"
                },
                "name": "python-component-o8492g-on-push6cc04eb96a08c15dd4f0c1f7827bf775",
                "namespace": "group-7qfh",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-o8492g-on-push-xhwmr",
                        "uid": "ec42af81-ffa5-4a81-96de-6fa12613a8fe"
                    }
                ],
                "resourceVersion": "34040",
                "uid": "8598b3be-77d8-4716-92c2-e715cd80ae6c"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-o8492g",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T07:57:48Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T07:57:48Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-o8492g-on-9053bfe77c1f2d1cd215677e5ee6d796-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba\", \"digests\": [\"sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783151867\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-04T07:56:41Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://e79c0bd861284f763b187c9af012aa64b4da4e49df29833b1373f13ad5b0974d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:56Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:55Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://11a146d0ad1ac240615159ca2dba92d70857915d831aced8c7274e7169930faa",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:57Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:57Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://101cdf17c32dc4bdbc77e8b765cbdc282743c7ab9c62e25ee72aea996f98e7b2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:56:58Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:58Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c808ac6a7d1c28f152d9dd88ecf944b9b96bdc357c7228cbecb7052deeac3d74",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:57:46Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:56:58Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba\", \"digests\": [\"sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783151867\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://bca2762586035ea9682d434693813230d66ae5ff78daa513f3babbe6b9edb381",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:57:47Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba\\\", \\\"digests\\\": [\\\"sha256:34aa8f923dc50177323bf37a35ebc9de8fa435c082dcde2ebeaa5beec2461a25\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783151867\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:57:47Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783151867\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://def983b823f250ca3651522ea2b5cad11196fd5a42112d4b0c9ed63bef7b331a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T07:57:48Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783151867\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T07:57:48Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-7qfh/python-component-o8492g:8c40e1090906bb6721c31ef7d1e611755dee5fba"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-i045dd",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "85117153127",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-rpwnov",
                    "pac.test.appstudio.openshift.io/git-provider": "github",
                    "pac.test.appstudio.openshift.io/installation-id": "72200095",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30795",
                    "pac.test.appstudio.openshift.io/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-e2e-tests[bot]",
                    "pac.test.appstudio.openshift.io/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/85870b1e-aba1-466a-ad11-41174b87c038/records/93f32a06-9c7b-4b97-99b4-49953f2cb8cd",
                    "results.tekton.dev/result": "integration2-5eq1/results/85870b1e-aba1-466a-ad11-41174b87c038",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325 is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1783153180000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/result-chains-git-commit": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                },
                "creationTimestamp": "2026-07-04T08:22:59Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:57Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "appstudio.openshift.io/snapshot": "integ-app-qxn3-20260704-081940-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "85117153127",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30795",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-resolver-pipeline-pass",
                    "tekton.dev/pipelineRun": "integration-test-6enp-6m6mp",
                    "tekton.dev/pipelineRunUID": "85870b1e-aba1-466a-ad11-41174b87c038",
                    "tekton.dev/pipelineTask": "task-fail",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1783153376",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325",
                    "test.appstudio.openshift.io/run": "integration-test-6enp",
                    "test.appstudio.openshift.io/scenario": "integration-test-6enp",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-6enp-6m6mp-task-fail",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-6enp-6m6mp",
                        "uid": "85870b1e-aba1-466a-ad11-41174b87c038"
                    }
                ],
                "resourceVersion": "61531",
                "uid": "93f32a06-9c7b-4b97-99b4-49953f2cb8cd"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "FAILURE"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:23:05Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:23:05Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-6enp-6m6mp-task-fail-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-04T08:23:05+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-04T08:22:59Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:37299834a7a95c042e2d9bc24d0668ccfc8dd4c96baf1339a0f3f46915e91455",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9abaa9d163e0f42cfb0e06cf5d2863851709fc7e0e69a40a6de847b1ccb4c6ea",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:23:05Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-04T08:23:05+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:23:05Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT FAILURE --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-i045dd",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "85117153127",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-rpwnov",
                    "pac.test.appstudio.openshift.io/git-provider": "github",
                    "pac.test.appstudio.openshift.io/installation-id": "72200095",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30795",
                    "pac.test.appstudio.openshift.io/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-e2e-tests[bot]",
                    "pac.test.appstudio.openshift.io/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/85870b1e-aba1-466a-ad11-41174b87c038/records/93f1cdbe-d6e4-4c52-93de-08a0e19cab29",
                    "results.tekton.dev/result": "integration2-5eq1/results/85870b1e-aba1-466a-ad11-41174b87c038",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325 is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1783153180000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/result-chains-git-commit": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                },
                "creationTimestamp": "2026-07-04T08:22:59Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:57Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "appstudio.openshift.io/snapshot": "integ-app-qxn3-20260704-081940-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "85117153127",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30795",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-resolver-pipeline-pass",
                    "tekton.dev/pipelineRun": "integration-test-6enp-6m6mp",
                    "tekton.dev/pipelineRunUID": "85870b1e-aba1-466a-ad11-41174b87c038",
                    "tekton.dev/pipelineTask": "task-skipped",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1783153376",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325",
                    "test.appstudio.openshift.io/run": "integration-test-6enp",
                    "test.appstudio.openshift.io/scenario": "integration-test-6enp",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-6enp-6m6mp-task-skipped",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-6enp-6m6mp",
                        "uid": "85870b1e-aba1-466a-ad11-41174b87c038"
                    }
                ],
                "resourceVersion": "61523",
                "uid": "93f1cdbe-d6e4-4c52-93de-08a0e19cab29"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SKIPPED"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:23:08Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:23:08Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-6enp-6m6mp-task-skipped-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-04T08:23:07+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-04T08:23:00Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:37299834a7a95c042e2d9bc24d0668ccfc8dd4c96baf1339a0f3f46915e91455",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f568308ca8009f1afb71b87188abd8de69b9ab54c10ff29ae07c491fe6700f81",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:23:07Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-04T08:23:07+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:23:07Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SKIPPED --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-i045dd",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "85117153127",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-rpwnov",
                    "pac.test.appstudio.openshift.io/git-provider": "github",
                    "pac.test.appstudio.openshift.io/installation-id": "72200095",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30795",
                    "pac.test.appstudio.openshift.io/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-e2e-tests[bot]",
                    "pac.test.appstudio.openshift.io/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/85870b1e-aba1-466a-ad11-41174b87c038/records/146ef25c-a7cf-4ef2-9160-bd91abe3ac9f",
                    "results.tekton.dev/result": "integration2-5eq1/results/85870b1e-aba1-466a-ad11-41174b87c038",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325 is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1783153180000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/result-chains-git-commit": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                },
                "creationTimestamp": "2026-07-04T08:22:59Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:57Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "appstudio.openshift.io/snapshot": "integ-app-qxn3-20260704-081940-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "85117153127",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30795",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-resolver-pipeline-pass",
                    "tekton.dev/pipelineRun": "integration-test-6enp-6m6mp",
                    "tekton.dev/pipelineRunUID": "85870b1e-aba1-466a-ad11-41174b87c038",
                    "tekton.dev/pipelineTask": "task-success",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1783153376",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325",
                    "test.appstudio.openshift.io/run": "integration-test-6enp",
                    "test.appstudio.openshift.io/scenario": "integration-test-6enp",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-6enp-6m6mp-task-success",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-6enp-6m6mp",
                        "uid": "85870b1e-aba1-466a-ad11-41174b87c038"
                    }
                ],
                "resourceVersion": "61526",
                "uid": "146ef25c-a7cf-4ef2-9160-bd91abe3ac9f"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SUCCESS"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:23:07Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:23:07Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-6enp-6m6mp-task-success-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:23:06+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-04T08:22:59Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:37299834a7a95c042e2d9bc24d0668ccfc8dd4c96baf1339a0f3f46915e91455",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://0c6448839d4e356614ebadb314fd74a28f329dfcdda076a0fae054fa0c07558e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:23:06Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:23:06+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:23:05Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SUCCESS --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-i045dd",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "85117153127",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-rpwnov",
                    "pac.test.appstudio.openshift.io/git-provider": "github",
                    "pac.test.appstudio.openshift.io/installation-id": "72200095",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30795",
                    "pac.test.appstudio.openshift.io/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-e2e-tests[bot]",
                    "pac.test.appstudio.openshift.io/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/dd43f935-a6dd-4071-96df-7373c31138dc/records/51a70bc5-3c0d-49cc-831a-3c178736713e",
                    "results.tekton.dev/result": "integration2-5eq1/results/dd43f935-a6dd-4071-96df-7373c31138dc",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325 is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1783153180000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/result-chains-git-commit": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                },
                "creationTimestamp": "2026-07-04T08:23:00Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:50Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "appstudio.openshift.io/snapshot": "integ-app-qxn3-20260704-081940-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "85117153127",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30795",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-resolver-pipeline-pass",
                    "tekton.dev/pipelineRun": "integration-test-6enp-lbljd",
                    "tekton.dev/pipelineRunUID": "dd43f935-a6dd-4071-96df-7373c31138dc",
                    "tekton.dev/pipelineTask": "task-fail",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1783153376",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325",
                    "test.appstudio.openshift.io/scenario": "integration-test-6enp",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-6enp-lbljd-task-fail",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-6enp-lbljd",
                        "uid": "dd43f935-a6dd-4071-96df-7373c31138dc"
                    }
                ],
                "resourceVersion": "61373",
                "uid": "51a70bc5-3c0d-49cc-831a-3c178736713e"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "FAILURE"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:23:08Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:23:08Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-6enp-lbljd-task-fail-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-04T08:23:08+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-04T08:23:01Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:37299834a7a95c042e2d9bc24d0668ccfc8dd4c96baf1339a0f3f46915e91455",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ba043af533a0172e38915577c0a2a36405b215acacfbeed82f7972914fa8c86e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:23:08Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-04T08:23:08+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:23:08Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT FAILURE --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-i045dd",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "85117153127",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-rpwnov",
                    "pac.test.appstudio.openshift.io/git-provider": "github",
                    "pac.test.appstudio.openshift.io/installation-id": "72200095",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30795",
                    "pac.test.appstudio.openshift.io/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-e2e-tests[bot]",
                    "pac.test.appstudio.openshift.io/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/dd43f935-a6dd-4071-96df-7373c31138dc/records/86f0276b-9548-440e-b175-9b529d2235d7",
                    "results.tekton.dev/result": "integration2-5eq1/results/dd43f935-a6dd-4071-96df-7373c31138dc",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325 is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1783153180000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/result-chains-git-commit": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                },
                "creationTimestamp": "2026-07-04T08:23:00Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:50Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "appstudio.openshift.io/snapshot": "integ-app-qxn3-20260704-081940-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "85117153127",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30795",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-resolver-pipeline-pass",
                    "tekton.dev/pipelineRun": "integration-test-6enp-lbljd",
                    "tekton.dev/pipelineRunUID": "dd43f935-a6dd-4071-96df-7373c31138dc",
                    "tekton.dev/pipelineTask": "task-skipped",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1783153376",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325",
                    "test.appstudio.openshift.io/scenario": "integration-test-6enp",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-6enp-lbljd-task-skipped",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-6enp-lbljd",
                        "uid": "dd43f935-a6dd-4071-96df-7373c31138dc"
                    }
                ],
                "resourceVersion": "61369",
                "uid": "86f0276b-9548-440e-b175-9b529d2235d7"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SKIPPED"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:23:09Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:23:09Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-6enp-lbljd-task-skipped-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-04T08:23:08+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-04T08:23:01Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:37299834a7a95c042e2d9bc24d0668ccfc8dd4c96baf1339a0f3f46915e91455",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://43ba296a38b7f8a510c123d1ee94bbedefc53ec62048dea28fa4de43185a7ea3",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:23:08Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-04T08:23:08+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:23:08Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SKIPPED --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-i045dd",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "85117153127",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-rpwnov",
                    "pac.test.appstudio.openshift.io/git-provider": "github",
                    "pac.test.appstudio.openshift.io/installation-id": "72200095",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30795",
                    "pac.test.appstudio.openshift.io/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-e2e-tests[bot]",
                    "pac.test.appstudio.openshift.io/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/dd43f935-a6dd-4071-96df-7373c31138dc/records/e1d29d1e-1678-4002-97d4-de597b7c3fc5",
                    "results.tekton.dev/result": "integration2-5eq1/results/dd43f935-a6dd-4071-96df-7373c31138dc",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325 is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1783153180000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/result-chains-git-commit": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                },
                "creationTimestamp": "2026-07-04T08:22:59Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:50Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "appstudio.openshift.io/snapshot": "integ-app-qxn3-20260704-081940-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "85117153127",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30795",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-resolver-pipeline-pass",
                    "tekton.dev/pipelineRun": "integration-test-6enp-lbljd",
                    "tekton.dev/pipelineRunUID": "dd43f935-a6dd-4071-96df-7373c31138dc",
                    "tekton.dev/pipelineTask": "task-success",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1783153376",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325",
                    "test.appstudio.openshift.io/scenario": "integration-test-6enp",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-6enp-lbljd-task-success",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-6enp-lbljd",
                        "uid": "dd43f935-a6dd-4071-96df-7373c31138dc"
                    }
                ],
                "resourceVersion": "61370",
                "uid": "e1d29d1e-1678-4002-97d4-de597b7c3fc5"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SUCCESS"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:23:09Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:23:09Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-6enp-lbljd-task-success-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:23:08+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-04T08:23:00Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:37299834a7a95c042e2d9bc24d0668ccfc8dd4c96baf1339a0f3f46915e91455",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5b371135bb23327da60d7e323ca991f92c8e883f4d50df87c7722cc5b5739f38",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:23:08Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:23:08+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:23:08Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SUCCESS --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-i045dd",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "85117153127",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-rpwnov",
                    "pac.test.appstudio.openshift.io/git-provider": "github",
                    "pac.test.appstudio.openshift.io/installation-id": "72200095",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30795",
                    "pac.test.appstudio.openshift.io/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-e2e-tests[bot]",
                    "pac.test.appstudio.openshift.io/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/d600c0cc-efa9-4277-861f-df68ea308db5/records/cfa2e40b-84a7-4711-8896-8c2663f905c2",
                    "results.tekton.dev/result": "integration2-5eq1/results/d600c0cc-efa9-4277-861f-df68ea308db5",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325 is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/git-reporter-status": "{\"scenarios\":{\"integration-test-6enp-integ-app-qxn3-20260704-081940-000\":{\"lastUpdateTime\":\"2026-07-04T08:23:08.37003206Z\"}}}",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1783153180000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/result-chains-git-commit": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "test.appstudio.openshift.io/status": "[{\"scenario\":\"integration-test-6enp\",\"status\":\"TestFail\",\"lastUpdateTime\":\"2026-07-04T08:23:08.37003206Z\",\"details\":\"Integration test failed\",\"startTime\":\"2026-07-04T08:22:58.309795018Z\",\"completionTime\":\"2026-07-04T08:23:08.37003206Z\",\"testPipelineRunName\":\"integration-test-6enp-lbljd\"}]"
                },
                "creationTimestamp": "2026-07-04T08:23:21Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:51Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "appstudio.openshift.io/snapshot": "integ-app-qxn3-20260704-081940-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "85117153127",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30795",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-resolver-pipeline-pass",
                    "tekton.dev/pipelineRun": "integration-test-lrvq-vk6sw",
                    "tekton.dev/pipelineRunUID": "d600c0cc-efa9-4277-861f-df68ea308db5",
                    "tekton.dev/pipelineTask": "task-skipped",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1783153376",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325",
                    "test.appstudio.openshift.io/run": "integration-test-lrvq",
                    "test.appstudio.openshift.io/scenario": "integration-test-lrvq",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-lrvq-vk6sw-task-skipped",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-lrvq-vk6sw",
                        "uid": "d600c0cc-efa9-4277-861f-df68ea308db5"
                    }
                ],
                "resourceVersion": "61384",
                "uid": "cfa2e40b-84a7-4711-8896-8c2663f905c2"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SKIPPED"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:23:26Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:23:26Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-lrvq-vk6sw-task-skipped-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-04T08:23:26+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-04T08:23:22Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:37299834a7a95c042e2d9bc24d0668ccfc8dd4c96baf1339a0f3f46915e91455",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e4c07d2b5b7a7069423f68da7fb5d15566ecb5f00e27def8d0bfac1e58d1cc8e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:23:26Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-04T08:23:26+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:23:26Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SKIPPED --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-i045dd",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "85117153127",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-rpwnov",
                    "pac.test.appstudio.openshift.io/git-provider": "github",
                    "pac.test.appstudio.openshift.io/installation-id": "72200095",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30795",
                    "pac.test.appstudio.openshift.io/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-e2e-tests[bot]",
                    "pac.test.appstudio.openshift.io/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/d600c0cc-efa9-4277-861f-df68ea308db5/records/ccb2aa65-0e98-4ff5-9c25-fb7152459ffb",
                    "results.tekton.dev/result": "integration2-5eq1/results/d600c0cc-efa9-4277-861f-df68ea308db5",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325 is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/git-reporter-status": "{\"scenarios\":{\"integration-test-6enp-integ-app-qxn3-20260704-081940-000\":{\"lastUpdateTime\":\"2026-07-04T08:23:08.37003206Z\"}}}",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1783153180000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/result-chains-git-commit": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "test.appstudio.openshift.io/status": "[{\"scenario\":\"integration-test-6enp\",\"status\":\"TestFail\",\"lastUpdateTime\":\"2026-07-04T08:23:08.37003206Z\",\"details\":\"Integration test failed\",\"startTime\":\"2026-07-04T08:22:58.309795018Z\",\"completionTime\":\"2026-07-04T08:23:08.37003206Z\",\"testPipelineRunName\":\"integration-test-6enp-lbljd\"}]"
                },
                "creationTimestamp": "2026-07-04T08:23:21Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:51Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "appstudio.openshift.io/snapshot": "integ-app-qxn3-20260704-081940-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "85117153127",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30795",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-resolver-pipeline-pass",
                    "tekton.dev/pipelineRun": "integration-test-lrvq-vk6sw",
                    "tekton.dev/pipelineRunUID": "d600c0cc-efa9-4277-861f-df68ea308db5",
                    "tekton.dev/pipelineTask": "task-success",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1783153376",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325",
                    "test.appstudio.openshift.io/run": "integration-test-lrvq",
                    "test.appstudio.openshift.io/scenario": "integration-test-lrvq",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-lrvq-vk6sw-task-success",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-lrvq-vk6sw",
                        "uid": "d600c0cc-efa9-4277-861f-df68ea308db5"
                    }
                ],
                "resourceVersion": "61388",
                "uid": "ccb2aa65-0e98-4ff5-9c25-fb7152459ffb"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SUCCESS"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:23:26Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:23:26Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-lrvq-vk6sw-task-success-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:23:26+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-04T08:23:21Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:37299834a7a95c042e2d9bc24d0668ccfc8dd4c96baf1339a0f3f46915e91455",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://0c11a23561209ae2ab7acc35f3c46116a117cf1e4747ae6ee2a12772ac5716ce",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:23:26Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:23:26+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:23:26Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SUCCESS --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-i045dd",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "85117153127",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-rpwnov",
                    "pac.test.appstudio.openshift.io/git-provider": "github",
                    "pac.test.appstudio.openshift.io/installation-id": "72200095",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30795",
                    "pac.test.appstudio.openshift.io/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-e2e-tests[bot]",
                    "pac.test.appstudio.openshift.io/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/d600c0cc-efa9-4277-861f-df68ea308db5/records/3ca0e464-b707-4400-9115-c7d4020b8349",
                    "results.tekton.dev/result": "integration2-5eq1/results/d600c0cc-efa9-4277-861f-df68ea308db5",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325 is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/git-reporter-status": "{\"scenarios\":{\"integration-test-6enp-integ-app-qxn3-20260704-081940-000\":{\"lastUpdateTime\":\"2026-07-04T08:23:08.37003206Z\"}}}",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1783153180000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/result-chains-git-commit": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "test.appstudio.openshift.io/status": "[{\"scenario\":\"integration-test-6enp\",\"status\":\"TestFail\",\"lastUpdateTime\":\"2026-07-04T08:23:08.37003206Z\",\"details\":\"Integration test failed\",\"startTime\":\"2026-07-04T08:22:58.309795018Z\",\"completionTime\":\"2026-07-04T08:23:08.37003206Z\",\"testPipelineRunName\":\"integration-test-6enp-lbljd\"}]"
                },
                "creationTimestamp": "2026-07-04T08:23:21Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:51Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "appstudio.openshift.io/snapshot": "integ-app-qxn3-20260704-081940-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "85117153127",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30795",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-4fxhok",
                    "pac.test.appstudio.openshift.io/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-resolver-pipeline-pass",
                    "tekton.dev/pipelineRun": "integration-test-lrvq-vk6sw",
                    "tekton.dev/pipelineRunUID": "d600c0cc-efa9-4277-861f-df68ea308db5",
                    "tekton.dev/pipelineTask": "task-success-2",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1783153376",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325",
                    "test.appstudio.openshift.io/run": "integration-test-lrvq",
                    "test.appstudio.openshift.io/scenario": "integration-test-lrvq",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-lrvq-vk6sw-task-success-2",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-lrvq-vk6sw",
                        "uid": "d600c0cc-efa9-4277-861f-df68ea308db5"
                    }
                ],
                "resourceVersion": "61385",
                "uid": "3ca0e464-b707-4400-9115-c7d4020b8349"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SUCCESS"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:23:26Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:23:26Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-lrvq-vk6sw-task-success-2-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:23:25+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-04T08:23:21Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:37299834a7a95c042e2d9bc24d0668ccfc8dd4c96baf1339a0f3f46915e91455",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7c929c71309b7528a2b49f645dd21d275433d6c27a4e233374ca31959616b2e3",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:23:25Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:23:25+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:23:25Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SUCCESS --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-i045dd",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-rpwnov",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/integration2-5eq1/pipelinerun/test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8/records/96a68f1d-693b-40af-b8fd-b53a7e6fb020",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"94e52012ce806126752210bbd3c9df2a914a98e7\",\"eventType\":\"pull_request\",\"pull_request-id\":30795}",
                    "results.tekton.dev/result": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:22:10Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRun": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRunUID": "4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325"
                },
                "name": "tesab6d8ae5b4d31aac2d279b81d1916d3a-coverity-availability-check",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                        "uid": "4d557d1a-66e6-4b0e-b276-4504524dacd8"
                    }
                ],
                "resourceVersion": "61513",
                "uid": "96a68f1d-693b-40af-b8fd-b53a7e6fb020"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-test-component-pac-4fxhok",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:22:22Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:22:22Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "tesab6d8ae5b4d31aac2d279b81b3c68d08de699b232558c5e58583a211-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-04T08:22:22+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:22:12Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a05c6f53beb80e1169ed49f731ad3774e218e4fde502bbf7d574c3a242a67005",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:22Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-04T08:22:22+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:22Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-i045dd",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-rpwnov",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/integration2-5eq1/pipelinerun/test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8/records/1990c43b-59d7-40b0-9b5e-203832ffc52d",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"94e52012ce806126752210bbd3c9df2a914a98e7\",\"eventType\":\"pull_request\",\"pull_request-id\":30795}",
                    "results.tekton.dev/result": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:22:10Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:55Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRun": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRunUID": "4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325"
                },
                "name": "tesab6d8ae5b4d31aac2d279b81d1916d3a-deprecated-base-image-check",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                        "uid": "4d557d1a-66e6-4b0e-b276-4504524dacd8"
                    }
                ],
                "resourceVersion": "61465",
                "uid": "1990c43b-59d7-40b0-9b5e-203832ffc52d"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-4fxhok",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:22:25Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:22:25Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "tesab6d8ae5b4d31aac2d279b81102af3b5170b01afeb17dc03be79743a-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7\", \"digests\": [\"sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:22:24+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:22:10Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3372aa50d4153e1afb45e773ea5c91876df78cb7df5badbdc839e06501461dc3",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:24Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7\\\", \\\"digests\\\": [\\\"sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:22:24+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:17Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-i045dd",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-rpwnov",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/integration2-5eq1/pipelinerun/test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8/records/7a6cabae-0e3b-4393-9e38-ad15d3fd0ec4",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"94e52012ce806126752210bbd3c9df2a914a98e7\",\"eventType\":\"pull_request\",\"pull_request-id\":30795}",
                    "results.tekton.dev/result": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:22:10Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRun": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRunUID": "4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325"
                },
                "name": "test-componab6d8ae5b4d31aac2d279b81d1916d3a-rpms-signature-scan",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                        "uid": "4d557d1a-66e6-4b0e-b276-4504524dacd8"
                    }
                ],
                "resourceVersion": "61504",
                "uid": "7a6cabae-0e3b-4393-9e38-ad15d3fd0ec4"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-4fxhok",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:22:45Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:22:45Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-componab6d8ae5b4d31aac42148933ec2e86d180d4659d145cc551-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7\", \"digests\": [\"sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 132, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:22:44+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:22:14Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b12845b0d3dc0b88d3c44d83de5728b42b650211e80d400b57fdfc5595640252",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:43Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:26Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://31086dbffe94998827b04a883fe0a89fb894f55f04609a0853d1c70a22fb7406",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:45Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7\\\", \\\"digests\\\": [\\\"sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 132, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:22:44+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:44Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-da89cbe3d1",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-i045dd",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-rpwnov",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/integration2-5eq1/pipelinerun/test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8/records/0c45aa14-69fe-4f3d-9752-70e200ac324e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"94e52012ce806126752210bbd3c9df2a914a98e7\",\"eventType\":\"pull_request\",\"pull_request-id\":30795}",
                    "results.tekton.dev/result": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:22:10Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRun": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRunUID": "4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325"
                },
                "name": "test-componeab6d8ae5b4d31aac2d279b81d1916d3a-sast-unicode-check",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                        "uid": "4d557d1a-66e6-4b0e-b276-4504524dacd8"
                    }
                ],
                "resourceVersion": "61498",
                "uid": "0c45aa14-69fe-4f3d-9752-70e200ac324e"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-4fxhok",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-0e420327e9"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:22:34Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:22:34Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-componeab6d8ae5b4d31aa7863fd90e5dcebc484469057ce477f7c-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:22:27+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:22:12Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://374acb5ca87a93c253d1676f7c21921fa505f2ff4cb1aeb4276bbcf218e0c3e9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:27Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:22:27+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:25Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://44473689c561772402fc44b29bcec8e5fae033ee07843f7712c678bb6594b58e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:29Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:22:27+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:27Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-i045dd",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-rpwnov",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/integration2-5eq1/pipelinerun/test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8/records/1c82fc2f-ceeb-4ad3-96fc-e37a2f742ded",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"94e52012ce806126752210bbd3c9df2a914a98e7\",\"eventType\":\"pull_request\",\"pull_request-id\":30795}",
                    "results.tekton.dev/result": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:22:00Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:55Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRun": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRunUID": "4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325"
                },
                "name": "test-componenab6d8ae5b4d31aac2d279b81d1916d3a-build-image-index",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                        "uid": "4d557d1a-66e6-4b0e-b276-4504524dacd8"
                    }
                ],
                "resourceVersion": "61459",
                "uid": "1c82fc2f-ceeb-4ad3-96fc-e37a2f742ded"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "94e52012ce806126752210bbd3c9df2a914a98e7"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7@sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-4fxhok",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:22:10Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:22:10Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-componenab6d8ae5b4d31ab482d1ecbcbec6e808d45eb7d82daaf1-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok@sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                    }
                ],
                "startTime": "2026-07-04T08:22:00Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://66139077ac5307f22c5fe121fb463694e9edfa407837c55e369856c62a3e7b45",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:06Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok@sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:04Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://fbe83eba1b66a7fee3e8b48cca4df87cdc207d1432025125780c222baeef3bf2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:07Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok@sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:07Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b6fc119a037f6bd2aecf9a5d3958fee9a8a8c05099fd49d268fa9325fa7d461a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:09Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok@sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:07Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "94e52012ce806126752210bbd3c9df2a914a98e7"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7@sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:test-componenab6d8ae5b4d31aac2d279b81d1916d3a-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:test-componenab6d8ae5b4d31aac2d279b81d1916d3a-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-i045dd",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-rpwnov",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/integration2-5eq1/pipelinerun/test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8/records/2ff61b1b-6cb6-4e66-943f-b8d4a30fa732",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"94e52012ce806126752210bbd3c9df2a914a98e7\",\"eventType\":\"pull_request\",\"pull_request-id\":30795}",
                    "results.tekton.dev/result": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:22:10Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRun": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRunUID": "4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325"
                },
                "name": "test-component-pac-4fxhok-on-pu84ea648ecc908a6483f2b240198d31fb",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                        "uid": "4d557d1a-66e6-4b0e-b276-4504524dacd8"
                    }
                ],
                "resourceVersion": "61507",
                "uid": "2ff61b1b-6cb6-4e66-943f-b8d4a30fa732"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-4fxhok",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:22:45Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:22:45Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-component-pac-4fxhok-oc6ab620380edb065671653abb7db199f-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7\", \"digests\": [\"sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783153364\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-04T08:22:10Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://157ac817e1590b4f4c17041891d5d9d2dd587ffdb9460c90a099d783d4603fc8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:24Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:23Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://ab22766851b2bf473b1dbf070aa88fd100dbb9a7ed8456f5b66c0699eb0d53fb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:24Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:24Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://bfe073f9caa606ecbec3cecbf5e03c0e6f09231bac63188947f6228b5cb5395d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:24Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:24Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8eab34171d7954d5df1db0b664cca91ef2ac55a31d9d6d063dddf9cd5c2d1268",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:44Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:25Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7\", \"digests\": [\"sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783153364\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://208c0143cfaf4bad4dc7bba7e14fc35ce4484c6c0ecbc464e961824aa00480a3",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:45Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7\\\", \\\"digests\\\": [\\\"sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783153364\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:44Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783153364\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://86141d669b61c851ea44799163268d97eb0244e5c805a61d54b216f63f76232b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:45Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783153364\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:45Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-i045dd",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-rpwnov",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/integration2-5eq1/pipelinerun/test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8/records/85b3812e-1ca2-4683-b3a2-1ca848ca6e54",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"94e52012ce806126752210bbd3c9df2a914a98e7\",\"eventType\":\"pull_request\",\"pull_request-id\":30795}",
                    "results.tekton.dev/result": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:22:10Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRun": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRunUID": "4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325"
                },
                "name": "test-component-pac-4fxhok-on-pull-request-qjpfr-apply-tags",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                        "uid": "4d557d1a-66e6-4b0e-b276-4504524dacd8"
                    }
                ],
                "resourceVersion": "61491",
                "uid": "85b3812e-1ca2-4683-b3a2-1ca848ca6e54"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-4fxhok",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:22:24Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:22:24Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-component-pac-4fxhok-on-pull-request-qjpfr-apply-tags-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-04T08:22:13Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a9b4aaf846364c25ce3f90fe4f50a8fdd835f9d30ba57359872bf825329143e5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:23Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:22Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7",
                                "--digest",
                                "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-da89cbe3d1",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-i045dd",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-rpwnov",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/integration2-5eq1/pipelinerun/test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8/records/d8e41995-f335-4591-a338-ec43c20baa8f",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"94e52012ce806126752210bbd3c9df2a914a98e7\",\"eventType\":\"pull_request\",\"pull_request-id\":30795}",
                    "results.tekton.dev/result": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:20:12Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRun": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRunUID": "4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325"
                },
                "name": "test-component-pac-4fxhok-on-pull-request-qjpfr-build-container",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                        "uid": "4d557d1a-66e6-4b0e-b276-4504524dacd8"
                    }
                ],
                "resourceVersion": "61520",
                "uid": "d8e41995-f335-4591-a338-ec43c20baa8f"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "94e52012ce806126752210bbd3c9df2a914a98e7"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-4fxhok",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-0e420327e9"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:22:00Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:22:00Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-component-pac-4fxhok-o980631da3f8c62c38da08c0667e2d111-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7@sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok@sha256:89a7aa579207084c4c6ee4be527bef0cdbc2b3961b6e1f86909f659e45d9179c"
                    }
                ],
                "startTime": "2026-07-04T08:20:12Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7df82c5bb8d991b6d35cc9ca5a4946ff8570c1a182b02e0dd8af9534a25f9f28",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:20:47Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:20:20Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f36666e5c459442194acf1cc85db7059444871c52c4c77802d55abeccd3c9169",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:21:06Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7@sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:20:48Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b605dab3dc8d981bb58382fd30ee9046a402211f57d7adb5f288006379029a6e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:21:16Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7@sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:21:07Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://80b19d49f6c50f8470f5893b000e9040ed97d9ea4657fa6de724d92e427c7599",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:21:33Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7@sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:21:16Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e97b441d1c08975f1beb37ad6a77651c12290d9e3203ab2c8062264008f9acff",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:21:59Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7@sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok@sha256:89a7aa579207084c4c6ee4be527bef0cdbc2b3961b6e1f86909f659e45d9179c\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:21:33Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "."
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "94e52012ce806126752210bbd3c9df2a914a98e7"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "test-component-pac-4fxhok-on-pull-request-qjpfr-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-i045dd",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-rpwnov",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/integration2-5eq1/pipelinerun/test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8/records/3afaf2f0-d7b2-4b65-8a93-8f961aaa0f0b",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"94e52012ce806126752210bbd3c9df2a914a98e7\",\"eventType\":\"pull_request\",\"pull_request-id\":30795}",
                    "results.tekton.dev/result": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:22:10Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRun": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRunUID": "4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325"
                },
                "name": "test-component-pac-4fxhok-on-pull-request-qjpfr-clair-scan",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                        "uid": "4d557d1a-66e6-4b0e-b276-4504524dacd8"
                    }
                ],
                "resourceVersion": "61468",
                "uid": "3afaf2f0-d7b2-4b65-8a93-8f961aaa0f0b"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-4fxhok",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:22:49Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:22:49Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-component-pac-4fxhok-on-pull-request-qjpfr-clair-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7\", \"digests\": [\"sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\":\"sha256:4d7304e455d7b4755777b6b295d355ec91c8e37921295a9bbdd29e90f76c33c6\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":147,\"low\":150,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:22:48+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:22:10Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://173d7bf3f4cdf5f70bd9a4202c061e38cf470277a993892fab8c2654eecb918d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:26Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:22Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://fe370a1153757347d41586eea91cd7782ffd791bb87384fd2b7e47b8dec7f70a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:41Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:27Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b96565f57d7cdb9d5fca7d77128fb793c50a5c3eb0e1ac7465b3cad51a89274d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:44Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:42Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7047711b7bf3eeb8795c5b099fcbc39959b98f4389f4aa2af6aab89853cc9627",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:48Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7\\\", \\\"digests\\\": [\\\"sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\\\":\\\"sha256:4d7304e455d7b4755777b6b295d355ec91c8e37921295a9bbdd29e90f76c33c6\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":147,\\\"low\\\":150,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:22:48+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:45Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-i045dd",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-rpwnov",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/integration2-5eq1/pipelinerun/test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8/records/7e3312a6-09a8-4cf2-88a6-24e04135bf50",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"94e52012ce806126752210bbd3c9df2a914a98e7\",\"eventType\":\"pull_request\",\"pull_request-id\":30795}",
                    "results.tekton.dev/result": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:22:10Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:55Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRun": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRunUID": "4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325"
                },
                "name": "test-component-pac-4fxhok-on-pull-request-qjpfr-clamav-scan",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                        "uid": "4d557d1a-66e6-4b0e-b276-4504524dacd8"
                    }
                ],
                "resourceVersion": "61452",
                "uid": "7e3312a6-09a8-4cf2-88a6-24e04135bf50"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-4fxhok",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:22:56Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:22:56Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-component-pac-4fxhok-on-pull-request-qjpfr-clamav-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7\", \"digests\": [\"sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1783153372\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-04T08:22:11Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:c99765a1c1493f281d776f3f589960cb21a344733f36cf7d755479a56edb937b",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b53f1a4b764eca2c8ba069bf98b39e905d5d977853633429c452ca43aec477eb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:52Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7\\\", \\\"digests\\\": [\\\"sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783153372\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:23Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6a7788d688d1315cda554df3f0fb564bf9c14a7286e60bdde56ef907b2209ebc",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:55Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7\\\", \\\"digests\\\": [\\\"sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783153372\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:53Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-i045dd",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-rpwnov",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/integration2-5eq1/pipelinerun/test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8/records/24630575-2c9e-4056-9871-5c1cf243b1a6",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"94e52012ce806126752210bbd3c9df2a914a98e7\",\"eventType\":\"pull_request\",\"pull_request-id\":30795}",
                    "results.tekton.dev/result": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:19:50Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRun": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRunUID": "4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325"
                },
                "name": "test-component-pac-4fxhok-on-pull-request-qjpfr-init",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                        "uid": "4d557d1a-66e6-4b0e-b276-4504524dacd8"
                    }
                ],
                "resourceVersion": "61517",
                "uid": "24630575-2c9e-4056-9871-5c1cf243b1a6"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-4fxhok",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:19:54Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:19:54Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-component-pac-4fxhok-on-pull-request-qjpfr-init-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-04T08:19:51Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://39772f880531fbbfe5a91cc9a004aeedcd50562cc59a841e3dcdd614be2ed5cb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:19:54Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:19:54Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-da89cbe3d1",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-i045dd",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-rpwnov",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/integration2-5eq1/pipelinerun/test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8/records/d36694e7-c980-4e28-a5ef-ba3a7cdd33d9",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"94e52012ce806126752210bbd3c9df2a914a98e7\",\"eventType\":\"pull_request\",\"pull_request-id\":30795}",
                    "results.tekton.dev/result": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:22:10Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRun": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRunUID": "4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325"
                },
                "name": "test-component-pac-4fxhok-on-pull-request-qjpfr-push-dockerfile",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                        "uid": "4d557d1a-66e6-4b0e-b276-4504524dacd8"
                    }
                ],
                "resourceVersion": "61501",
                "uid": "d36694e7-c980-4e28-a5ef-ba3a7cdd33d9"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-4fxhok",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-0e420327e9"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:22:34Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:22:34Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-component-pac-4fxhok-oa5cd92e6f7bb3cdfc6a6ca9583062867-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok@sha256:afbb47c2f8d3dd993868da85cda27ede137a09b96bcd5cd65dbebf0692da69a6"
                    }
                ],
                "startTime": "2026-07-04T08:22:13Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f0ac42cf90d536afc386d0d9e6562006fca007de07aeabcbc701e9d167d883ec",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:27Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok@sha256:afbb47c2f8d3dd993868da85cda27ede137a09b96bcd5cd65dbebf0692da69a6\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:25Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                ".",
                                "--containerfile",
                                "Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7",
                                "--image-digest",
                                "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-da89cbe3d1",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-i045dd",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-rpwnov",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/integration2-5eq1/pipelinerun/test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8/records/ce5948fd-4e69-4562-a3eb-fbeba03e30d7",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"94e52012ce806126752210bbd3c9df2a914a98e7\",\"eventType\":\"pull_request\",\"pull_request-id\":30795}",
                    "results.tekton.dev/result": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:22:10Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRun": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRunUID": "4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325"
                },
                "name": "test-component-pac-4fxhok-on-pull-request-qjpfr-sast-snyk-check",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                        "uid": "4d557d1a-66e6-4b0e-b276-4504524dacd8"
                    }
                ],
                "resourceVersion": "61510",
                "uid": "ce5948fd-4e69-4562-a3eb-fbeba03e30d7"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-4fxhok",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-0e420327e9"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:22:24Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:22:24Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-component-pac-4fxhok-o2cfe0853940a48c34339a4a4950d6e12-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-04T08:22:23+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:22:11Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f0eb6e37199c8f1a80efe133812ba87e929c27ef0ff7ff8f2bbc0fd6206b1088",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:23Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-04T08:22:23+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:22Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e18ad92dd9970fd9af44547700aaee2a7cf9c9199bfc39bdfd5635dd0f098e05",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:24Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-04T08:22:23+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:24Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-da89cbe3d1",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-i045dd",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-rpwnov",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/integration2-5eq1/pipelinerun/test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8/records/bcdfc1fd-3c03-4792-bf46-97a563e49967",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"94e52012ce806126752210bbd3c9df2a914a98e7\",\"eventType\":\"pull_request\",\"pull_request-id\":30795}",
                    "results.tekton.dev/result": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:19:55Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRun": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRunUID": "4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325"
                },
                "name": "test-componentab6d8ae5b4d31aac2d279b81d1916d3a-clone-repository",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                        "uid": "4d557d1a-66e6-4b0e-b276-4504524dacd8"
                    }
                ],
                "resourceVersion": "61480",
                "uid": "bcdfc1fd-3c03-4792-bf46-97a563e49967"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                    },
                    {
                        "name": "revision",
                        "value": "94e52012ce806126752210bbd3c9df2a914a98e7"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-4fxhok",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-0e420327e9"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-rpwnov"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:20:02Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:20:02Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-componentab6d8ae5b4d310efe6a0aa4d32150f84640a29b7bb86a-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "94e52012ce806126752210bbd3c9df2a914a98e7"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "94e52012ce806126752210bbd3c9df2a914a98e7"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1783153175"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "94e5201"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                    }
                ],
                "startTime": "2026-07-04T08:19:55Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://076751813d24250f3b37dc9d8773d9bcc1caff9f63f2116dc1363d504e025380",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:20:00Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"94e52012ce806126752210bbd3c9df2a914a98e7\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration\",\"type\":1},{\"key\":\"commit\",\"value\":\"94e52012ce806126752210bbd3c9df2a914a98e7\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783153175\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"94e5201\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:20:00Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3171c7ee60a145f4b5e4e22b1e68f1940e2b9eccabcda8b27a4f7d9c204ff879",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:20:01Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"94e52012ce806126752210bbd3c9df2a914a98e7\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration\",\"type\":1},{\"key\":\"commit\",\"value\":\"94e52012ce806126752210bbd3c9df2a914a98e7\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783153175\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"94e5201\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:20:01Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "94e52012ce806126752210bbd3c9df2a914a98e7"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/commit_sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "build.appstudio.redhat.com/pull_request_number": "30795",
                    "build.appstudio.redhat.com/target_branch": "base-i045dd",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-da89cbe3d1",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-i045dd",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-rpwnov",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.205.209.20:9443/ns/integration2-5eq1/pipelinerun/test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-i045dd\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8/records/313fb7f0-7df3-4718-8efd-4f9602c94ff6",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"94e52012ce806126752210bbd3c9df2a914a98e7\",\"eventType\":\"pull_request\",\"pull_request-id\":30795}",
                    "results.tekton.dev/result": "integration2-5eq1/results/4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-4fxhok",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-04T08:22:10Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-04T08:23:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-qxn3",
                    "appstudio.openshift.io/component": "test-component-pac-4fxhok",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85117153127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-4fxhok-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30795",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-4fxhok",
                    "pipelinesascode.tekton.dev/sha": "94e52012ce806126752210bbd3c9df2a914a98e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRun": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                    "tekton.dev/pipelineRunUID": "4d557d1a-66e6-4b0e-b276-4504524dacd8",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "9a2dc3ba6a6cbcddafa4edf33e28a20035ef40d7937523f8c34a2f91154325"
                },
                "name": "test-componentab6d8ae5b4d31aac2d279b81d1916d3a-sast-shell-check",
                "namespace": "integration2-5eq1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-4fxhok-on-pull-request-qjpfr",
                        "uid": "4d557d1a-66e6-4b0e-b276-4504524dacd8"
                    }
                ],
                "resourceVersion": "61484",
                "uid": "313fb7f0-7df3-4718-8efd-4f9602c94ff6"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-4fxhok",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-0e420327e9"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-04T08:22:34Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-04T08:22:34Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-componentab6d8ae5b4d31e34d69549d220b3637f7f8caa62eae84-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-04T08:22:26+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-04T08:22:12Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://01a1368d25e80e2f354d2e3e3470c77a800021c45f2edf765ae7a497910b1065",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:26Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:22:26+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:25Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://27163b83217b8082719fc235d13bebd5c681517a7570fcdff7cb8111bc327102",
                            "exitCode": 0,
                            "finishedAt": "2026-07-04T08:22:28Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-04T08:22:26+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-04T08:22:27Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration2-5eq1/test-component-pac-4fxhok:on-pr-94e52012ce806126752210bbd3c9df2a914a98e7"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:46342d9501f9f0a724f1455e1b7775f5b91a6e6460aac1b5cd4ea3cac4354c20"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        }
    ],
    "kind": "List",
    "metadata": {
        "resourceVersion": ""
    }
}
